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Abstract 


The actor message-passing model of concurrent computation has inspired new ideas in the areas 
of knowledge-based systems, programming languages and their semantics, and computer systems ar¬ 
chitecture. The model itself grew out of computer languages such as Planner, Smalltalk, and Simula, 
and out of the use of continuations to interpret imperative constructs within A-calculus. The math¬ 
ematical content of the model has been developed by Carl Hewitt, Irene Greif, Henry Baker, and 
Giuseppe Attardi. This thesis extends and unifies their work through the following observations. 

The ordering laws postulated by Hewitt and Baker can be proved using a notion of global time. 
The most general ordering laws are in fact equivalent to an axiom of realizability in global time. 
Independence results suggest that some notion of global time is essential to any model of concurrent 

computation. 

Since nondeterministic concurrency is more fundamental than detenu in istic sequential computa¬ 
tion, there may be no need to take fixed points in the underlying domain of a power domain. Power 
domains built from incomplete domains can solve the problem of providing a fixed point semantics 
for a class of nondeterministic programming languages in which a fair merge can be written. 

The event diagrams of Greif s behavioral semantics, augmented by Baker’s pending events, form 
an incomplete domain. Its power domain is die semantic domain in which programs written in actor- 
based languages are assigned meanings. This denotational semantics is compatible with behavioral 

semantics. 

The locality laws postulat ed by Hewitt and Baker may be proved for the semantics of an actor- 
based language. Altering die semantics slightly can falsify die locality laws. The locality laws dius 
constrain what counts as an actor semantics. 
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Chapter I 


Introduction 


Today's algorithmic programming languages were designed to express deterministic sequential 
algorithms. They were not designed to express algorithms for the distributed computer networks and 
network-like multiprocessors that are now being designed and built. Algorithms for these networks 
and multiprocessors make use of concurrent computation and are often nondcterministic in that they 

do not specify a unique outcome. 

The now classic Scott-Strachcy theory of programming language semantics deals only with deter¬ 
ministic programming languages. That is. using the Scott-Strachcy theory to describe the semantics 
of a language defines a unique mathematical object for every well-formed language construct. The 
hallmark of nondcterministic programming languages, however, is a kind of semantic ambiguity, 
some programs may for a given input produce any of several possible outputs. 

Why not extend the Scott-Strachcy theory by making the mathematical object corresponding 
to the output of a nondcterministic program be the set of its possible outputs? Gordon Plotkin 
has done precisely that in working out the theory of power domains, so called by analogy with 


8 



power sets. 1 Each element of a power domain is a set of possible outcomes of a nondeterministic 
program or program fragment. One of the most important shortcomings of power domains has been 
their seeming inability to deal with fair merge, finite delay, unbounded nondeterminism, and other 
manifestations of fair parallelism. 

This thesis presents a theory of semantics for a class of nondeterministic programming languages 
with fair parallelism. Specifically, this thesis is concerned with programming languages based on the 
actor model of concurrent computation. 2 Actor semantics shows that power domains can be made to 
overcome the problem of fairness. 

1.1. Fairness 

Consider the problem of scheduling disk operations requested by concurrent processes. Because 
the disk is slow relative to the processes, requests should be buffered; let’s call a request in the buffer 
a pending request. Two possible scheduling strategies are the First Come First Served strategy and 
the Shortest Seek Time First strategy. The First Come First Served strategy services pending requests 
in the order they arrive at the scheduler. The Shortest Seek Time First strategy attempts to minimize 
disk head motion by always servicing the pending request that involves moving the disk head the 
shortest distance. In many cases the Shortest Seek Time First strategy gives better average response 
time than the First Come First Served strategy. 3 Unfortunately, the Shortest Seek Time First strategy 
is incorrect because it cannot guarantee that every pending request will be serviced. 

Figure 1 shows why. Process Po wishes to read a cylinder near die center of die disk. Process Pi 

wishes to read and write cylinders near the disk’s outer edge. The disk head happens to be over Pi’s 

cylinders. Suppose process Pi, in a burst of activity, sends fifty or so requests to the disk scheduler, all 

involving cylinders near die outer edge of die disk. Suppose furthermore dian whenever process Pi 

receives confirmation that one of its requests has been serviced, it sends yet another request to the disk 

*G D Plotkin, “A powerdoniain construction”, SIAM J Computing 5, 3, September 1976, pages 452-487. 

2 For a very diverse, nontechnical, amusing introduction to actor-based languages, see Ted Nelson [editor], “Symposium 
on actor languages”, Creative Computing 6, 10, October 1980, pages 61-86, continued in Creative Computing 6, 11, 
November 1980, pages 74-94. 

J MiCha Ilofri, “Disk scheduling: FCFS vs. SSTF revisited”, CACM 23, 11. November 1980, pages 645-653. This article 
fails to observe that without modification the SSTF algorithm is incorrect. 
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Figure 1 . Disk cylinders accessed by two processes. 


scheduler. If the disk scheduler is using the Shortest Seek Time First strategy, process Pi will capture 
the disk. Process P 0 will be locked out, and any disk requests made by process P 0 will remain pending 
forever. That isn’t fair. 

On the other hand the First Come First Served scheduling strategy is fair. For that very reason, 
however, it causes problems for power domain semantics. For example suppose process Po makes 
one disk request, represented by a 0, while process Pi makes infinitely many disk requests, each 
represented by a 1. This situation is diagrammed in Figure 2, where indicates an infinite sequence 
of ones. 4 As is usual in programming language semantics, time has been left out of the picture in 
order to obtain a more abstract description—but as a result it is impossible to say where the 0 should 
appear in the output of the First Come First Served scheduler. Depending on the timing, the output 

could be any of 


4 Throughout this thesis ui is the first infinite ordinal, the first infinite cardinal, and the set of natural numbers with the 
usual ordering. Identifying these three conceptually distinct objects is a vice common among mathematicians who have 

studied set theory. 
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Figure 2. Data flow diagram of a scheduling problem. 

011111111 • * * 

101111111 • 

110111111 
111011111 - -• 

and so on. The infinite sequence of ones is not a possible output, though, because it does not contain 
the 0 that is sent to the scheduler by process P 0 . In other words the First Come First Served scheduler, 
abstractly considered, performs an arbitrary fair merge on its inputs. 

Notice that nondeterminism is a property of our abstract description of the First Come First 
Served scheduling algorithm, not a property of the algorithm itself. 

Nonetheless conventional power domain semantics attempts to account for nondeterminism in 
terms of choice points within the program’s execution sequence. In the case of a merge program the 
choice points represent decisions about which value to output next. Figure 3 shows the choice tree for 
a merge of 0 and l w . At the beginning of execution no outputs have been produced, so the root of the 
choice tree is labelled by a special symbol _L standing for the empty output. The program must then 
choose whether to produce 0 or 1 as its next output. If it produces 0, each subsequent output must be 
a 1. If it produces 1, however, it faces the same choice all over again. 
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Figure 3. The choice tree for a merge of 0 and l w . 

Conventional power domain semantics regards each branch of the choice tree as a possible ex¬ 
ecution sequence of the merge. The possible outputs of the merge are the limits of these branches. 
Observe, however, that 1“ is the limit of the rightmost branch, so the choice tree in Figure 3 does 
not represent a fair merge of 0 and 1“. In fact, no such choice tree drawn according to the rules 
of conventional power domain semantics can represent the arbitrary fair merge of 0 and 1“. As a 
corollary, conventional power domain semantics cannot give the abstract semantics of a First Come 
First Served scheduler. 

Fair scheduling can be programmed in languages based on the actor model of computation. 5 
Conventional power domains are therefore inadequate as a basis for actor semantics. Chapters III and 
IV develop and illustrate unconventional power domains that can deal with fair parallelism. 

5 Carl Hewitt, Giuseppe Attardi, and Henry Lieberman, “Specifying and proving properties of guardians for distributed 
systems”, in Semantics of Concurrent Computation, Springer-Verlag Notes in Computer Science 70, 1979. 
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1.2. Overview 


The actor message-passing model of concurrent computation has inspired new ideas in the areas 
of knowledge-based systems, 6 progfamming languages and their semantics, 7 and computer systems 
architecture. 8 The model itself grew out of computer languages such as Planner, 9 Smalltalk, 19 and 
Simula," and out of the use of continuations to interpret imperative constructs within X-calculus. 12 
The mathematical content of the model has been developed by Carl Hewitt, Irene Greif, 13 Henry 
Baker, 14 and Giuseppe Attardi. 15 This thesis extends and unifies their work. 

Chapter II introduces the actor model and gives a mathematical definition of the actor event 
diagrams introduced by Greif. 16 The main result of Chapter II is that fire most general ordering 
laws postulated by Hewitt and Baker 17 are equivalent to an axiom of realizability in global tune. A 
strong independence result further emphasizes the importance of global time in the actor model, and 
suggests that some notion of global time is essential to any model of concurrent computation. 

Chapter 111 discusses nondeterminism. It argues that nondeterminism in a programming lan¬ 
guage semantics is better understood as incomplete specification than as random choice. It follows 
»Eg Kenneth M Kahn, “An actor-based animation language", Creative Compute 6, 11, November 1980. pages 75-B4. 

’Eg. Guy Lewis Steele Jr and Gerald Jay Sussman, “Scheme: an interpreter for extended lambda calculus". MIT AI 
Memo 349, December 1975. 

8 Eg the design of the Intel 432 was influenced by the Actor model. 

a robot "' “ 8S 0/ " 

“ E5=5 i'Ztt-' 

CA June' 1978, preprint in SIGPLAN Natices 13 , 8. August 1978, pages 243-272. 

12 Eg . Michael J C Gordon, The Denotational Description of Programming languages, Springer-Verlag. New York, 1979. 
13-Semantics of communicating parallel processes-. MIT Project MAC Technical Report 154, September 1975. 

If.Actor systems for real-time computation". MIT LCS Technical Report 197. March 1978. 

16 “Scmantics of communicating parallel piocesses . 

n^SSSnn^'SriS Programming S^Andrews. New Brunswick. 

Canada, August 1977, 16.1-16.21. 
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that the nondeterminism in a programming language semantics is, in David Park’s term, loose non- 
determinism. 18 The importance of these philosophical distinctions is that fairness implies unbounded 
nondeterminism, whereas viewing nondeterminism as random choice leads to the conclusion that all 

nondeterminism is bounded. 

What is new in Chapter III is the treatment of power domains. Instead of beginning with a 
semantics for sequential programs and then trying to extend it for nondetermimstic concurrency, ac¬ 
tor semantics views nondeterministic concurrency as primary and obtains the semantics of sequential 
programs as a special case. The mathematical import of this approach is that there is no longer any 
need to take fixed points in the domain underlying a power domain. As a result the underlying 
domain need not be complete. Extending the power domain construction as in Chapter III to apply 
to incomplete domains makes possible a power domain semantics for a class of nondetermimstic 

programming languages in which a fair merge can be written. 

Chapter IV verifies that claim by presenting a specific power domain semantics for actor-based 
languages. The event diagrams of Greifs behavioral semantics, when augmented by Baker’s pending 
events, 19 form an incomplete domain. Its power domain is the semantic domain in which programs 

written in actor-based languages are assigned meanings. 

Chapter V points out that whether or not the locality laws postulated by Hewitt and Baker 20 hold 
for a toy language depends upon details of the language’s semantic equations. The conclusion there 
drawn is that the locality laws constitute the acid test of a programming language’s faithfulness to the 
actor model. Chapter V also extends the semantics of Chapter IV to deal with actor creation. 

The concluding chapter, Chapter VI, suggests some directions for further research. 

The appendixes present the toy language used throughout the thesis to illustrate actors. 

1.3. Related Research 

Plotkin’s original power domain construction was simplified by Michael Smyth, whose paper 

18 David Park, “On the semantics of fair parallelism”. University of Warwick Theory of Computation Report 31, October 
1979. 

19 “Actor systems for real-time computation”. 

20 “Laws for communicating parallel processes” and “Actors and continuous functionals . 


14 



remains the standard introduction to the subject A number of nondeterministic programming lan¬ 
guages have now been given a power domain semantics. Of these, the semantics of Communicating 
Sequential Processes 22 has had the most influence on actor semantics. 

The semantics in Chapter IV is probably the first power domain semantics for languages with fair 
parallelism, but it is not the first power domain semantics to deal with unbounded nondeterminism. 
R J Back has given a power domain semantics for a language with unboundedly nondeterministic 
assignment statements as basic operations. 23 Three differences between Back’s work and actor seman¬ 
tics stand out. One difference is the source of nondeterminism-basic assignment statements in 
Back's paper, message delays in actor semantics. A second difference is that Back is thinking of non¬ 
deterministic sequential programming languages, while actor semantics is concerned pumanly with 
concurrent programming languages. The third difference is that Back’s power domain apparently is 
constructed from a complete underlying domain. This third difference is not entirely clear because 
Back's power domain construction appears to be nonstandard. A similarity between Back’s work and 
actor semantics is that Back found it necessary to build the power domain out of execution sequences 
instead of single states: the actor power domain is built out of actor event diagrams, which may be 

thought of as generalized execution sequences. 


n "power domains", J Computer and System Sciences 16, 1978, pages 23 36. 

22 Nissim France/ C A R lloarc. Daniel J Lehmann, and Willem P dc Rocvcr, "ScmanUcs of nondclcrminism. concurrency, 
and colSon”, 7 Computer and System Sciences .9, December 1979. pages 290-308. 

“•Semantics of unbounded nondelcrminism”, Malhematisch Centrum Report IW 135/80, Aprd 1980. 
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Chapter II 


Ordering Laws 


This chapter illustrates the actor model at its most abstract. A notion of global time is introduced 
and used to prove the ordering laws postulated by Hewitt and Baker. Needlessly restrictive ordering 
laws arc avoided, so that axioms of realizability in global time can be shown equivalent to the ordering 
laws. The importance of global phenomena is emphasized through a strong independence result. 
Finally, a theorem by Hewitt and Baker is shown to remain true under laws equivalent to a weak 

axiom of global time realizability. 

11.1. The Actor Model 

Ordinary sequential computation is the simplest case of concurrent computation, a far more 
general category that includes various kinds of parallel computation as well as the sequential case. 
While the sequential case is fairly well understood, however, general concurrent computation is not. 
There are two evident ways to develop a better theory of concurrent computation. One is to generalize 
the existing theory of sequential computation. The other is to begin with a model of concurrent com¬ 
putation and create an entirely new theory that can be checked against current theory in the special 
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case of sequential computation. The actor model is intended to support this second sort of theoretical 
development. Generalizing existing theory, as in tire first approach, can lead to significantly different 
theoretical predictions, as will appear in Chapter III. 

As a model of concurrent computation, the actor model emphasizes the communication occur¬ 
ring during computation. Examples of such communication are the signals transferred along the bus 
linking the CPU and memory of a conventional sequential computer, parameter passing between 
subroutines of a program, messages transferred between computers in a geographically distributed 
network, and process synchronization in a multiprocessing computer. All these communications may 
be considered examples of what has come to be called message passing. 

The actor model is one of a number of message passing models that have been developed in the 
past decade. 1 These models differ in their conception of message passing. For some, the mechanism 
of message passing resembles a telephone network, so that message transmission is essentially instan¬ 
taneous, but there are times when the line is busy and messages cannot be sent. 2 For the actor model, 
however, message passing resembles mail service, so that messages may always be sent but are subject 
to variable delays en route to their destinations. As a result, the actor model can be used to analyze 
distributed computer networks as well as multiprocessors and programs. 

In the actor model, each communication is described as a message arriving at a computational 
agent called an actor. Memory chips, subprograms, and entire computers are examples of things 
that may be thought of as actors. The memory chip might receive addresses and function codes as 
messages, while the subprograms might receive values or locations of parameters, and the computer 
might receive messages as blocks or packets. The actor model refers to the arrival of a message at 
an actor as an event. Thus all events in the model are arrival events, and there is no such thing as a 
sending event. 

The graphic representation of an event is a dot, as below. 

1 Two examples are C A R lloare, “Communicating sequential processes”, CACM 21, 8, August 1978, pages 666-677, 
and George Milne and Robin Milner, “Concurrent processes and their syntax”, JACM 26, 2, April 1979. pages 302- 
321. 

2 This is one way to understand the semantics of “Communicating sequential processes”. See Nissim Francez, CAR 
lloare, Daniel J Ixhmann, and Willem P de Roever, “Semantics of nondeterminism, concurrency, and communication”, 
J Computer and System Sciences 19, December 1979, pages 290-308. 
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The actor that receives a message in an event is called the target of the event. The message that 
the target receives is just called the message of the event. The target and message of an event are often 
described by the notation 

[i target 4— message ] 

which may appear beside dots representing events. 

Sometimes the target of an event, as a direct result of that event, will send messages to other 

actors. For example, a memory module receiving a message instructing it to letch the contents of a 
certain address should respond by sending the value stored at that address to the CPU. In this case, 
the event of which the memory module is the target activates the event in which the contents of the 

specified address arrives at the CPU. 

The activation relation appears as an arrow in diagrams. 


[memory 4 
*• [CPU 


fetch address 
contents] 


] 


An event may activate several subsequent events. That is, the arrival of a message at an actor 
may cause that actor to send out a number of messages to other actors. The events that a given event 
activates are said to have that event as their activator. 


ei 



Thus e„ activates e,, e 2 , and e 3 , each of which has e„ as activator, eo is an example of an external 
event, that is, an event with no activator. Its cause must be external to the system being modelled, 

hence the name. 3 No event has more than one activator, because the message of an event has been 

Eternal events were called initial events in Carl Hewitt and Henry Baker, "Actors and continuous functionals" IFIP 
Working Conference on Formal Description of Programming Concepts, St Andrews,^ New Brunswick, Canada, Aug 
1977 16 1-16 21 This usage conflicts with that in Carl Hewitt and Henry Baker, “laws for communicating para e 
processes” IFIP-77 Toronto, August 1977, pages 987-992, The usage of the latter paper is better motivated, since 
defines an initial event as an event that is initial in the activation ordering considered as a category. 
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sent only once. 

Chains of activations define the activation ordering. 



Thus e 0 activates e 2 which activates cb, so e 0 precedes e b in the activation ordering. Similarly both 
e 0 and t\ precede e 4 in the activation ordering. e 4 and e 3 are not related by the activation ordering. 

Sometimes an event will not activate any other events. When that happens, the only effect of the 
event is whatever effect it may have on the (local) state of its target. Considering the memory module 
again, the message Store 7 in 321 will probably cause it to change its state. In this way events 
can influence future events even though they do no activate any events themselves. Graphically 

ei • [memory Store 7 in 321] 


e 2 


[memory +— Fetch 321] 


e 3 -» [CPU 4- 7] 

There is no explicit path in this diagram to show that e 3 depends upon t\. Io remedy that the 


actor 


model introduces the arrival ordering of the memory module, which appears as a vci tical line. 

e, l [memory <— Store 7 in 321] 


C2 


[memory Fetch 321] 


[CPU 4- 7] 



Adding this arrival ordering shows that e L precedes e 3 in the combined ordering , which is simply die 
combination of the activation and arrival orderings. 
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The arrival ordering emphasizes that the relative order of t\ and ti is significant. 


[memory +— Fetch 321] ti 


[memory +— Store 7 in 321] t\ 



0 ] 


Here does not precede e 4 in the combined ordering. 

The actor model postulates an arrival ordering for each actor. These arrival orderings are sup- 
posed to be linear, which means that for any two events with the same target, it is always the case 
that one 0 f the two occurs first. Some form of arbitration may be necessary to make flits supposition 

realistic, of course. 

An arrival ordering represents the order in which events occur at a particular target actor. Thus 

an arrival ordering represents the local lime of an actor. 

Conventional models of sequential computation make use of global time and global slate. That is, 
there is only one clock in the system, and die computation is in exactly one well-defined state at any 
given time. The transitions between global states are linearly ordered in the global time of the system, 
which is what makes sequential computation sequential. 

When computation is not sequential, the notions of global state and global time may be inap¬ 
propriate. An extreme example suggests why. Suppose a computer in Dallas and another one in 
Oklahoma City are linked together to ametion as a dual processor. The computers are one millisecond 
apart at light speed. It is Uierefore not helpful to insist that events occurring with megahertz fre¬ 
quencies at the two sites must be thought of as totally ordered in a single global time, for an event 
in Dallas clearly cannot affect any part of a hypothetical global state on which an event nanoseconds 
later in Oklahoma City depends. Such concurrent systems are better analyzed by splitting the global 
state into local pieces and viewing the overall computation as a set of local computations interacting 

through message passing. 

This kind of local decomposition is important for multiprocessor systems as well as for gcographi- 
cafly distributed systems. Several experimental multiprocessors resemble computer networks, and 
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multiprocessor networks are becoming available commercially as well. 4 

Even large sequential programs are constructed from local modules that communicate through 
the conventional mechanisms of subprogram calls with parameters and shared variables. These 
mechanisms may also be regarded as special cases of message passing. 5 

The actor model emphasizes the ideas of local time and local state. Local times are represented 
by the arrival orderings of actors, which operate independently of each other except when they in¬ 
teract by means of message passing. The communications between actois are represented by the 
activation ordering. Hence the combined ordering indicates all possible dependencies among events. 
Since in the actor model events cannot be influenced by events that do not precede them in the 
combined ordering, the actor model helps to illustrate the modular structure of a computation. On the 
other hand, using a single global time to order computation events linearly makes it appear that an 
event depends upon all events that happen to come before it in global time. 


11.2. Global Time is Necessary 

Nonetheless it turns out that some notion of global time is essential to any model of concurrent 
computation. The purpose of this chapter is to show why that is so for the actor model, and to use the 
idea of global time to motivate and improve upon the ordering laws introduced by Hewitt and Baker. 6 

So far the arrival orderings have been required only to be total. Consider, however, an arrival 
ordering with the same order type as the nonpositive integers. 


4 a commercial example 1 happen to be familiar with is the Advanced flexible Processor built by the Information Sciences 
Division of Control Data Corporation. Up to sixteen of these processors can be configured in a simple bidirectional 
ring network, providing a computation rate of well over a billion fixed point arithmetic operations per second in some 
signal processing applications. 


5 Carl Hewitt, “Viewing control staicture as patterns of passing messages”, Artificial Intelligence 8, 1977, pages 323-363. 
Also in Winston and Brown [cd]. Artificial Intelligence: an MIT Perspective, MIT Press. 1979. 

6 Carl Hewitt and Henry Baker, "laws lor communicating parallel processes”, 1TIP-77, Ioronto, August 1977, pages 
987-992. Carl Hewitt and Henry Baker. “Actors and continuous functionals” Il'lP Working Conference on formal 
Description of Programming Concepts, St Andrews, New Brunswick, Canada, August 1977, 16.1-16.21. 
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This arrival ordering seems unlikely to arise in practice. For an even unlikelier arrival ordering, 
considerably harder to draw, consider the order type of the nonnegative rationals. These examples 
suggest that the actor model should place further restrictions on the arrival orderings. Such restric¬ 
tions are stated by the ordering laws. 

For example, one ordering law states that for any two events having the same target diere are 
only finitely many events lying between them in the arrival ordering of the target. This law rules 
out arrival orderings having the order type of the nonnegative rationals, but does not rule out arrival 
orderings having the order type of the nonpositive integers. Another ordering law must be added to 
eliminate that order type. Other ordering laws must be stated to govern the activation ordering. To 
rule out the possibility of impossible situations arising from the interaction of allowable activation and 
arrival orderings, ordering laws must be stated for the combined ordering. 

While laws can be generated by thinking of arrival, activation, and combined orderings having 
undesirable order types and then postulating ordering laws that eliminate them, it would never be 
possible to have total confidence that all undesirable order types have been ruled out by such a 
process. In other words, this ad hoc approach leaves open the question of the sufficiency of the 
ordering laws. Another, less important question concerns the independence of the laws. For example, 
Hewitt and Baker conjectured that their law governing the combined ordering was redundant, but 

could not prove it. 7 

The questions of independence and sufficiency turn out to be related, in that the question of in- 
7 “Actors and continuous functionals”. 
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dependence points to the importance of global time, which provides an intuitive basis for considering 
the question of sufficiency. 

The answer to the question of sufficiency runs as follows. The ordering laws are nothing more 
than conditions necessary for orderings to be realizable in global time. They should therefore be 
considered complete if they form a necessary and sufficient set of conditions for orderings to be 
embedded in global time. The three strongest ordering laws form such a complete set. That is 
the message of Theorem 1 of §5, wherein they are shown equivalent to a statement of global time 
realizability. 

As for the question of independence, the three strongest ordering laws are strictly stronger than 
the conjunction of all the other ordering laws, even in the presence of the locality law£ discussed 
in Chapter IV. In particular, the law governing the combined ordering is independent of the other 
laws, which explains why Hewitt and Baker were unsuccessful in proving their conjecture. The reason 
for this law’s independence is that the combined ordering is a global ordering, while the other laws 
deal only with local orderings, namely the activation and arrival orderings. As shown by this law’s 
independence, local laws are not by themselves enough. A global law is needed to make the actor 
model an adequate account of concurrent computation. 


11.3. A Mathematical Formulation 

So far the actor model has been described informally. A more rigorous presentation at this point 
will avoid some confusion later on, as well as provide a chance to review the model. Some details 
of the actor model, such as the contents of messages and tire behaviors of actors, make no difference 
when discussing the ordering laws. Hence they will not be discussed now, but will reappear later. 
The simplified actor model used in this chapter is less detailed and more general than the versions 
considered in chapters III, IV, and V. 

The actor model is perhaps best motivated by the prospect of highly parallel computing machines 
consisting of dozens, hundreds, or even thousands of independent monoprocessors, each with its own 
8 IIewitt and Baker, "l.aws for communicating parallel processes" and “Actors and continuous functionals”. 
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local memory and communications processor, communicating via a high performance communica¬ 
tions network in a system much like the computer networks now coming into widespread use. The 
model may be thought of as an idealization of such a multiprocessor network, in which the number of 
available processors is potentially infinite, much as the tape of a Turing machine is potentially infinite. 

The primitive objects of the simplified model are events and actors. The actors represent com¬ 
putational agents. In the idealization suggested above, an actor may be thought ol as a program that 
has been given its very own processor on which to run. An event represents the arrival of a message at 

a target actor. 

The model uses partial orders on these events to represent concurrency. There is a treelike 
activation ordering that represents causality, and a set of linear arrival orderings, one for each actor, 
that represent local times. The combined ordering is the transitive closure of the activation and arrival 
orderings, and may be considered to represent feasible concurrency. The combined ordering is similar 
to the concurrency orderings of some other models, but its decomposition into activation and arrival 
orderings is unique to the actor model. 

Write the set of events of a computation as E, and the set of actors as A. Associated with each 
event is its target actor, so let T:E —> A be the function giving the target of each event. The model 
does not need to record the sender as well as the target, because the sender can be determined from 
the activation ordering unless the event is external. The events with a given target are linearly ordered 
by the arrival ordering of the target, so let Arr be a collection of ineflexive total oidciings arr a + 
defined on T~ l {a), for a £ A. There is also the activation ordering —act-*, an irreflexive partial 
order on E such that no event has more than one immediate predecessor. 9 

A computation thus becomes a structure 


(E, A, T, -act Arr). 

Not all such structures correspond to reasonable computations, however. The purpose of the ordering 
laws is to characterize those structures that represent real computations. 

9 x is an immediate predecessor of 2 with respect to an irreflexive ordering < if x < 2 but there is no y such that 
x <y < 2 . 
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Figure 1 . An example of an activation ordering with two components. 

Some readers may be uncomfortable with the infinities allowed by such a structure. The con 
sidcrations of the next section will require that the set of events E be countable. E cannot be 
required to be finite because that would make the model useless for nonterminating computations. 
For the same reason there may be infinitely many external events, which are simply events having 
no predecessors in the activation ordering. External events are intended to represent events whose 
cause is external to the system being modelled, such as the event of pressing a button or kicking the 
machine. There must be at least one such event in a nonempty computation, but there is no reason to 
insist that there be only one. Each external event defines a component of the activation ordering, and 
each component is a tree with the external event as its root. See Figure 1. 

Figure 1 also illustrates die fact that an event can activate infinitely many events. 10 For example, 

receiving a message can cause an actor to enter an infinite loop in which it continues to send out mes 

10 Hewitt and nakcr did not allow this. §8 shows how to modify a proof of theirs that assumed that events can activate 
only finitely many events. 
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sages. Another example, motivated by the language Ether, 11 is an event that results in broadcasting a 
message to every present and future actor. 

The number of actors must be potentially infinite because at times actors represent software 
entities such as programs and functions, and in languages such as Lisp new functions can be generated 

automatically and endlessly. 

11.4. Time, Causality, and Computation 

Let denote the combined ordering, which is die transitive closure of the activation ordering 
_ ad —► and the arrival orderings in Arr. If an event precedes another event e 2 in the combined 
ordering, then there exists a path of causation and local time from e! to e 2 . If that is so dien ei must 
occur before e 2 in time. It makes no difference whether time is measured in the reference frame of the 
target of e u the target of e 2 , or in any other reference frame, for the existence of die path of causation 
and local time between ei and e 2 implies that the time sequence of the two events is invariant among 
all observers. Some time relations are absolute, even in the theory of relativity. 

Pursuing diat thought a bit further, the theory of relativity allows each observer his or her own 
global time. These global times may differ, however, concerning the order of events whose relation in 

time is not absolute. 

There is an analogy with global time in the actor model. When precedes e 2 in die combined 
ordering, all global times must have ei happening before e 2 . When ei and e 2 are not comparable 
under the combined ordering, however, there will be global times in which e\ happens first and other 
global times in which e 2 happens first. 

The mathematical notion of global time appropriate for event-structured models of computation 
is of a function from die computation events into the real numbers. Often the global time function is 
required to be integer-valued, and that will turn out to be the case for the actor model, but for now it 
will just be a real-valued function. For the actor model, then, a global time is a mapping 

g\ E-> 5* 

11 Bill Kornfeld, “ETIIER—a parallel problem solving system”, 1JCAI-79, pages 490-492. 
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Figure 2. A combined ordering that is not irreflexive. (Arrival orderings point downward.) 
where 5R denotes the real numbers. 

The reason for considering global times is that commonly held notions about time and com¬ 
putation will constrain the structures possible for the combined ordering and thus allow an intuitive 

derivation of the ordering laws. 

One constraint on the global time mapping g is that cause precedes effect. Thus 

[1] g preserves the activation ordering — act— >. 

That is, if t\ —act -► e 2 , then ^(ei) < g(e 2 ). 

Another constraint is that global time be consistent with all local times. Thus 

[2] g preserves all the arrival orderings —arr a -+, for a G A. 

Consequently 

[3] g preserves the combined ordering — 

and 

[4] The combined ordering -+ is irreflexive. 
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[3] and [4] are equivalent to [1] and [2]. Irreflexivity of the combined ordering does not follow from 
irreflexivity of the activation and arrival orderings, as illustrated in Figure 2. It must be stated as a 
fundamental ordering law. Hewitt and Baker named it the Law of Strict Causality. 

Law of Strict Causality. The combined ordering -* is an irreflexive partial ordering. 

So-called Zeno machines are paradoxical machines that can do infinitely many things in a finite 
amount of time. An example is Huffman’s Lamp, which when switched on lights for only thirty 
seconds before turning itself off for fifteen seconds, and then comes back on for seven and a half 
seconds before turning off for three and three quarters seconds, and so on. After one minute it 
ceases to change state. At one second into the second minute, is it on or off? Zeno machines, if they 
existed, could be used for many useful purposes such as providing a decision procedure for first order 
predicate calculus. The fact that they do not exist leads to requiring that 

[5] The range of g has no accumulation points. 

Equivalently, no bounded interval in 9ft contains infinitely many images of E under g. Equivalently, 
because the combined ordering is irreflexive, a global time g can be found that is integer-valued and 

one-to-one. 

Together with [5] above, die following implies that there is a first event, and thus that the 
computation has a definite beginning. 

[6] the range of g is a subset of the nonnegative real numbers. 

Tutting the above constraints together yields die fundamental axiom on actor orderings, the 

(Strong) Axiom of Realizability. There exists a one-to-one mapping g from the events E into 
the nonnegative reals that preserves the combined ordering —+ and such that g *(/) is finite for every 
bounded interval I of 9ft. Equivalently there exists a one-to-one mapping g:K -> tu that preserves 
where uo is the set of natural numbers. 
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Occasionally there may be reason to weaken this axiom slightly by not assuming a definite begin¬ 
ning to the computation as in [6]. For example, many properties of a computer network that has been 
operating continuously for years will in no way depend upon there having been a time before the 
system was brought up, and so any proof that made use of that fact would be suspect. On the other 
hand, if the assumption really is necessary to the proof, then that tells something about the property 
being proved, namely that it depends upon the existence of some initial state. For these reasons, and 
against the chance that steady state theory may come back into fashion in cosmology, this chapter will 

also consider the 

Weak Axiom of Realizability. There exists a one-to-one mapping g from the events E into the real 
numbers 3ft that preserves the combined ordering —> and such that G (/) is finite for every bounded 
interval I of 3ft. Equivalently there exists a one-to-one mapping g: E -+ Z that preserves where Z is 
the set of integers. 

As will be shown, the ordering laws follow from the definition of the structure 

(E, A, T, — act —Arr) 

together with one of the versions of the realizability axiom. 

Two of the ordering laws stated by Hewitt and Baker do not so follow, however, and are not in 
fact true in the system of this chapter. One of the laws asserted the existence of an initial event preced¬ 
ing all other events in the activation ordering. This was nothing moie than a simplifying assumption 
appearing only in the paper “Laws for communicating parallel processes”. The other asserted that 
an event can activate only finitely many events. The previous section gave two examples to justify 
omitting this law, one of them being the possibility of an actor entering an infinite sending loop. 
Apparently Baker wished to rule out the possibility of loops internal to actors. 12 It is also possible 
that die choice of die phrase “immediate successors in the activation ordering”, while well grounded 
in established mathematical usage, may have led to blinking of immediate in the sense of time rather 
than in the sense of being without intervening events. 13 

12 IIcnry Baker, “Actor systems for real-time computation”, MIT TCS Technical Report 197, March 1978, page 64. 

13 ibid, page 37. 
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H.5. The Strong Axiom of Realizability 

An actor event diagram is defined to be a structure 

(E, A, T, — act -4, Arr) 

that satisfies the strong Axiom of Realizability, where E and A are arbitrary sets and T, -act-*, and 
Arr are as described in §3. This section considers the ordering laws as consequences of that definition, 
while the next section considers weaker ordering laws that still hold when the strong axiom is replaced 
by the Weak Axiom of Realizability. 

The global time g whose existence is asserted by the axioms of realizability is not part of the 
structure of an actor event diagram. The axioms assert only that it is possible to embed the activation 
and arrival orderings in time in a certain way. Generally there are many acceptable embeddings. 
Thus, although a particular actor event diagram must be realizable in time, no time sequencing is 
associated with it except the combined ordering. Furthermore, as shown by the main theorems of this 
and die next section, die realizability axioms are equivalent to certain simple ordering laws, so that the 
set of actor event diagrams may be defined using the ordering laws instead of a realizability axiom, 

and die definition need never explicitly mention global times at all. 

Apparently the global time itself is seldom needed in practice. The mere possibility of one is 
quite constraining, implying as it does the ordering laws, and die ordering laws arc geneially more 
convenient for proofs. It is usually easier to prove properties of computations by considering the 
partial orderings themselves than by considering all possible global times, since in considering all 
possible linearizations of the partial orders in global Lime the proof still has to rely on properties of the 
partial orders. Hence dicre is no point to disguising the partial orders by mapping diem into linear 

time. 

As an example, consider the parallelism fork and join in Figure 3. Here an actoi executing 
a process sends messages to two other actors asking them to start subprocesses to be computed in 
parallel with the main process. Father subproccss may finish and return its result fust, so Figuie 3 
shows two possibilities for die join. Each actor event diagram in Figure 3 can be embedded in time in 
essentially three ways. For the event diagram on the left, the order of events in global time must be 
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Figure 3. Parallelism fork and join. 

one of 

^o, ei, e 3 , e4 
eo, ei, e2, e 3) 
eo, ei,e3, e2,e4 

but it makes no difference which. Hence the additional ordering information given by the global time 
is useless. Since the global time disguises the fact that e 2 and e 3 cannot influence one another, the 
global time actually gives less information than the actor event diagram. 

An exceptional situation when it is just as efficient to consider all global times arises when con¬ 
sidering all interleavings of elementary operations in a multiprocessor system where communication 
is by means of shared memory. 14 In this instance the possible arrival orderings of the shared memory 
when considered as an actor are essentially the same as the possible interleavings, so there is nothing 
to gain from the actor point of view. In short, the local time of the memory is effectively the global 
time of the system. In less centralized, more modular systems, however, considering the partial or¬ 
ders directly is superior to considering their many linearizations. Once the ordering laws and their 
equivalence to the global time axioms have been derived, therefore, the realizability axioms will have 
fulfilled their main purpose. 

Most logics that have been proposed for reasoning about parallel programs are based upon 

sequences of global states. The realizability axioms suggest that the actor model may be made com- 

M Scc for example J M Cadiou and .! J Levy, “Mechanizable proofs about parallel processes”, Proceedings 14th Annual 
Symposium on Switching and Automata Theory, October 1973, pages 34—48. 
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patible with these logics by treating an event as a change of global state, so that a global time specifies 
a sequence of global states. To do so, however, is to sacrifice the advantages being claimed for the 
actor model. The actor model requires its own verification logic, which remains to be developed. The 
semantics presented in Chapter III may be used to justify the proof rules of such a logic. 

The first two ordering laws follow from either the weak or the strong realizability axiom. They 
are the 

Law of Strict Causality (LSC). For noe E E doese -* e. 
and the 

Law of Countability (LC). There are at most countably many events. That is, E is countable, where 
a finite set is considered countable. 

The first law was stated by Hewitt and Baker 15 and the second is provable in the system of “Laws for 
communicating parallel processes”. 

When the strong axiom is assumed, the intuition that events are only finitely removed from the 
beginning of computation comes back out as the 


Law of Finite Predcccssion (LFP). For all events e\ the set { e | e -> t\ } is finite. 

These three laws are in fact equivalent to the Strong Axiom of Realizability. It is thus a matter 
of choice whether to formalize actor event diagrams using the strong realizability axiom as has been 
done here or using these three ordering laws instead. 

Theorem 1. The strong Axiom of Realizability is equivalent to the conjunction of the Law of Strict 
Causality, the Law of Countability, and the Law of Finite Predecession. lQ 

Proof The realizability axiom is easily seen to imply all three (LSC, LC, and LFP). 

Let { e 0 , e h e 2l ... } be the set of events. Define a global time g inductively as follows. 

,5 “Iaws for communicating parallel processes” and “Actors and continuous functionals”. 

I6 By assuming the existence of a single initial event that precedes all other events, and that no event can activate 
infinitely many events, Hewitt and Baker were able to prove that the Law of Discreteness (given in the next section) 
implied a statement equivalent to the strong Axiom of Realizability. Under their assumptions the law of Countability 
and Uie law of Finite Predcccssion also hold, so they had a greatly weakened version of the “if’ part of this theorem. 
See §2.1 of “Laws for communicating parallel processes”. 
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Let g(eo) = 1. 

Suppose that g has been defined on {<*,.. •, e n _i } in such a way that it preserves the com¬ 
bined ordering -> on the events on which it is defined. That is, g(e t ) < g{ej) whenever a -* ej for 
i, j < n. The strategy for defining g(e n ) will be to place it as far to the right as possible. Precisely, if 

there exists a j n such that e n + €j, then let k be such that 

g(e k ) = min{ g{ej) | e n e j} j < n}. 


Define v 

g[^n) — 2^( efc ) maX ({ I ^ s{ e k)) j n } ® ^)J 

so that g(e k ) is the first point on the right of g{e n ). The claim is that g is now defined on 
{e 0) . e n _ i, e n } in such a way as to preserve the combined ordering. If not, then, by the induction 
hypothesis and the fact that g(e n ) < whenever e n -> t it j < n, there must be some par¬ 
ticular i < n such that e t -> e n but g{e n ) < g (c,-). This implies also that g[e k ) < g(e f ). Now 
s j nce g n tlie transitivity of the combined ordering gives e t — ♦ e k , which by LSC contradicts the 
fact that g preserves -> on , e„_i}. Thus no such i can exist, and g has been extended to 

{ e 0 ,. • •, c n —i, e n } while still preserving the combined ordering. 

If there is no such j < n such that e n -+ ey, then just put g[e n ) out to the right of all other points 

defined so far, say 

g(e n ) = l-f max { &( e i) I J < n )* 


As before, the combined ordering is preserved. 

By induction the combined ordering is preserved at all stages. Any non-preservation of that 
ordering in the whole function g would already have arisen at some finite stage, and so g is a one- 
to-one positive-valued function that preserves the combined ordering. It only remains to be shown 
that its range has no limit points. This is equivalent to showing that the left-open unit inteivals with 
integral endpoints, that is, intervals of the form (m, m -f 1] for m a natural number, each contain 
only finitely many points of the range. 

If (m, m 4- 1] contains any range points at all, then by the way g is defined m + 1 = £/( e n) 
for some n, and the interval (m, rn 4- 1] contains none of the points <?(eo),..., g{e n — i)- I hat is, the 
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Figure 4. Irreflexive activation and arrival orderings do not imply an irreflexive combined ordering. 


interval was empty when g[e n ) was defined. Now it happens that the pic-images of all range points 
placed in Uiat interval after g(e n ) precede e n in the combined ordering. Whenever g(e) is defined to 
be a non'integer, e precedes the pre-image of the range point immediately to its right at the time of its 
definition. Thus the pre-image of the first range point placed in (m, m -f 1] after g(e n ) precedes e n 
in the combined ordering. The second does also, by transitivity of -> if needed, and so on for all the 
range points placed in the interval. Hence if g takes infinitely many values in the interval (m, m- f 1] 
then there must be infinitely many events that precede e n in the combined ordering. This contradicts 

the Law of Finite Predeccssion. | 

The proof just given reveals that if e, e' E E are not related by the combined ordering, then there 
exists a global time g such that g(e) < g (el). 

The Law of Finite Predecession has two immediate corollaries concerning the primitive, local 
orderings, but taken together they remain weaker than LFP itself. 


Law of Finite Predeccssion in the Activation Ordering. For all events ei the set 

{ e | e —act —> e\ } 


/ 


is finite. 


Law of Finite Predeccssion in an Arrival Ordering. For all events e Y and actors a the set 


{ e | e —arr (i -+ ej } 


is finite. (Of course the set is empty ifT(e { ) ^ a.) 


Figure 5 . An infinite backward chain in the combined ordering. 


Theorem 2. The strong Axiom of Realizability is stronger than 

/. The conjunction of all the laws in this section and the next except for the Law of Strict 
Causality. 

2. The conjunction of all the laws in this section and the next except for the Law of Countability. 

3. The conjunction of all the laws in this section and the next except for the Law of Finite 
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Predecession 


Proof. It suffices to consider the five laws stated above, except that for part 3 the Law of 
Discreteness (or its equivalent) from the next section must be considered because it is a corollary of 
the law being excluded. 

Part 1 is shown by Figure 4. Without the Law of Countability, there may be uncountably many 
external events, whence part 2. Part 3 is shown by Figure 5, which illustrates an infinite backward 
chain in the combined ordering having the order type of the negative integers and consisting of alter¬ 
nating arrival and activation ordering links, where each arrival ordering link is taken from a different 
arrival ordering. | 

The independence results of Theorem 2 already provide abundant evidence that local laws can¬ 
not replace global time in the actor model. To paraphrase the theorem, irreflexivity of the activation 
and arrival orderings does not imply irreflexivity of the global combined ordering, the local laws do 
not insure global countability, and finite predecession in the activation and aiiival orderings does not 
imply finite predecession for the combined ordering. Indeed, local discreteness does not imply global 
discreteness, but that fact will not be stated precisely until the end of the next section and then an 
entire section will be devoted to its proof. 17 

Independence results similar to Theorem 2 continue to hold even in the presence of ordering 
laws stronger than those presented in this section. The axiom then becomes mciely independent of 
rather than stronger than the conjunctions of ordering laws, of course. In particular, modulo the 
replacement of 'stronger than” by 'independent oT , parts 1 and 3 of Theorem 2 remain true in the 
presence of additional ordering laws forbidding more than one external event and forbidding events 
ffiat activate infinitely many events. 

On the other hand, in the presence of the Law of Discreteness from the next section, the exist¬ 
ence of an initial event preceding all other events in the combined ordering implies the Law of Finite 
Predeccssion. Thus adding a law postulating such an initial event would require modifying assertion 

17 In §2.4.10 of “Actor systems for real-time computation”, Ilenry Baker gave an example showing that discreteness 
of two trees docs not imply discreteness of the transitive closure of their union. 'Hie counterexample to be presented 
in §7 of this chapter improves upon his result by taking into account the special nature of the activation and arrival 

orderings. 
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3 of Theorem 2 so as to exclude the Law of Discreteness and its equivalent, the Law of Finite Chains 
Between Events in the Combined Ordering, as well as the Law of Finite Predccession. 

An independence result that strengthens part 3 of Theorem 2 by allowing locality laws and these 

additional ordering laws is presented formally in §7. 

11.6. The Weak Axiom of Realizability 

Now suppose that the strong Axiom of Realizability is replaced by the Weak Axiom of Realiza¬ 
bility, so computations are allowed to be infinite in past time as well as in future time. This may seem 
a strange possibility to consider. Its practical motivation is the fact that some programs are pure in the 
sense that they never change, and properties of such programs may be proved using only the weak 
axiom. 18 Properties whose proof requires the strong axiom depend upon what has happened in the 
past, and are usually proved by induction from some initial state. Hence there is a real and useful 
distinction between properties that require only the weak axiom and those that requite the full power 

of the strong axiom. 

The Law of Strict Causality and the Law of Countability remain time under the weak axiom, but 
the Law of Finite Predecession is replaced by the 

Law of Discreteness (LD). 19 For all events e\ and e 2 , the set 

{ e | ei —► e -* e 2 } 


is finite. 

This law is equivalent to the 

Law of Finite Chains Between Events in the Combined Ordering. There are no infinite chains of 

20 

events between two events in the combined ordering —►. 

,8 A simple example of such a proof is found in §8. 

J 9 This was called the law of Finitely Many Events between two events in the Combined Ordering in a revised version 
of Carl Hewitt and Henry Baker, "Actors and continuous functionals”, Mil l.CS technical Report 194, December 1977. 
It appeared first in Hewitt and Baker, "Laws for communicating parallel processes”, August 1977, but in that paper it 
was equivalent to the Law of Finite Predccession due to their assumption of an initial event 

20 A chain is just a linearly ordered set. 
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Theorem 1. Assume the Law of Strict Causality. Then the Law of Discreteness is equivalent to the 
Law of Finite Chains Between Events in the Combined Ordering. 21 

Proof. The only if direction is trivial. 

To prove the converse, assume there are no infinite chains between events in the combined 
ordering. Then by the totality of arrival orderings, an event has either no predecessors in the arrival 
ordering of its target, or it has a unique immediate predecessor. Similarly, an event is either external 
or has a unique immediate predecessor in the activation ordering, namely its activator. Therefore no 
event has more than two immediate predecessors in the combined ordering. 

Now suppose that for some£i and £2 the set { e j E\ —+ e —> £ 2 } is infinite. We will inductively 
construct an infinite chain, contrary to hypothesis. Lete 0 — £ 2 . 

We have a sequence Co, • • •, e„ such that 


£1 


'n 


®n—l 


—► eo — £2 


and {e | £1 -> e -> e n } is infinite. Ife n is not an external event, let £ be its activator, and if e n is 
not the first event in the arrival ordering for T{e n ) let £' be the unique immediate predecessor of e n in 
that arrival ordering. If e n is not external and { e | £1 —► e —> £ } is infinite, then define e n _j_i = £. 
Otherwise£' exists and { e | £1 -> e -+ £'} is infinite, so define e n+ i = £'. 1 

This proof is essentially the proof of Konig’s Lemma for ordered trees, and docs not assume an axiom 
of choice. 22 Thus the two laws may be interchanged freely. Usually the Law of Finite Chains in the 
Combined Ordering will be easier to prove, and the Law of Discreteness will seem stronger in use. 

The Law of Discreteness also implies the existence of global time functions. 23 

2l This is a sharpened statement of a fact observed by Hewitt and Baker in the revised version of “Actors and continuous 
functionals '. Since in their paper events could only activate finitely many events, Konigs I amnia could be used in c 'lhe r 
direction. No proof appears in that paper, but the proof given by Baker in “Actor systems for real-time computation”, 
MI T LCS Technical Report 197, March 1978, fails without the assumption of finite activation. Incidentally, the footnote 
in “l aws for communicating parallel processes” that says that discreteness is the stronger condition must refer to general 
orderings. 

22 Raymond Smullyan, First Order Logic , Springcr-Verlag, New Vork, 1968. Bakers proof used Konigs lemma for 
unordered trees and thus assumed an axiom of choice. 

23 This was observed by Hewitt and Baker in “laws for communicating parallel processes”, but their statement assumes 
also the existence of an initial event, so for them the law of Discreteness was ccpiivalcnt to the Law of 1 inite I redecession. 
They also assumed no event could activate infinitely many events. 
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Theorem 2. The Weak Axiom of Realizability is equivalent to the conjunction of the Law of Strict 
Causality, the Law of Countability, and the Law of Discteteness. 

Proof The weak axiom clearly implies LSC, LC, and LD. 

Let e 0 , ci, e 2 ,... be the events. Define a global time g inductively as follows. 

Define g[e o) — 0. 

The induction hypothesis for n, LH{n), is the following: g{ef),..., g(e n — 1 ) have been defined 
so that 

1. g is one-to-one. 

2. g is integer valued. 

3. the combined ordering is preserved. 

4. g is already defined on all Ck lying between any two of eo> • • • > e n —l the combined 

ordering. That is, 

Viyjjk 0<i,j<n — 1 A Cj —► efc —► ey => 0 5^ k. < n 1. 

Clearly the fourth part of the induction hypothesis will be impossible to arrange without periodically 
re-ordering the e/s, and we must be careful in that re-ordering not to upset the main induction. 

Assume IH(n). There are two cases, depending on whether or not e n is related by -> to any of 
eo,..., e n —\. In the simple case, when e n is not related, define 

g{e n ) = 1 + max{ gfe) | 0 < i < n — 1}. 


Clearly 1, 2, and 3 of ILI{n) hold. Also 4 holds because -+ is transitive and e n is unrelated to 

Co, • • • j —1* 

Now the hard case, where e n is related to at least one of eo,..., e n —i. By 4 of ///(n), either 
e n precedes all those it is related to, or it follows all those it is related to. Let us say e n follows all 
of e 0 , e n _i that it is related to. since the other possibility is handled in exactly the same fashion. 

(That is, with arrows reversed, 1 + max{ g(ei) |0<i<n-~l} replaced by min{ g(ej) | 0 < 
i < n — 1} -- 1, ct cetera.) 
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If there docs not exist a e k such that k > n and, for some i, 0 < i < n — 1, —► e k -+ e n 

is true, then define g(e n ) = 1 -f max{ fa) | 0 < i < n - 1}. IH(n + 1) then clearly holds. 
Otherwise we must re-order { e* | i > n }. 

Let 

n—1 

{<5fe„ • • •, } = \J{e k \k>nandei-*e k ^ e n }. 

1=1 

The finiteness of this set is guaranteed by LD. We may assume < • • • < k rn . We re-order 

the set { e 7 ; | n < i < k m } by pulling e kv ..., e fcm , e n out of it and placing them in front, so that the 

new order looks like 


Ck\i €k<2) ••• 1 e k m ) &n) • • • t ^k\ —1. • • * » —1 


and relabel as 


^u-f-1» • • • t e 


n- 


p f J J 

1> ' ’ ‘ > c fcj- 


l-f-m) ^fci+l-}-(m—1) 


,..., <4 . 


What has been accomplished by this re-ordering? First of all, nothing has been ruined by it. 
g is still defined in the same way on the same events, and IH{n) still holds. Some points are now 
farther back—at most m events farther back—in the new ordering, but if g were to be defined on 
e kv .... e km and e n (newly relabelled < t ,..., e' n+m _ l> < l+m ) without any further relabelling of the 
ef. f i > n + m, tlien every event e' would be at least one event closer to being defined than in the 
original labelling. And in fact it is possible to define g on e' n ,..., e / n+m _ 1 , e' n+m while maintaining 
the induction hypothesis and without disturbing <4 i>n-\-m. 

Proof of claim: IH(n) still holds, so try again to define g on the event, but this time use 
the new ordering, ie define g(e' n ). Relabelling may again be necessary, but no e' with i > n-j~m 
will be relabelled. That is because ej -* e' -+ ef n for some j, 0 < ; < n — 1 would imply 
tj -> e' -> e n (since ef n -> e n ), contradicting < ^ { e kv ..., e km }. In fact, several relabellings may be 
necessary before g becomes defined on an event, but these relabellings can only affect the order of 
e' .... e' , ,. Each relabelling changes the labels on a smaller initial segment of { ej | i > n }, 

and so finally d n becomes such that no e'-, i > n lies between it and any of eo,... ,c n _i in the 
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combined ordering. At that point g becomes defined on its n th event. Furthermore g will be defined 
on all of ..., e' n+m _i, <4 +m before it is necessary to disturb the labelling above n + m, by the 

same reductio ad absurdum as above. Thus the claim. 

For each event e*, therefore, g{ei) is eventually defined, g is a one-to-one integer valued function 
that preserves —since any non-preservation would show up at a finite stage contrary to the induc¬ 
tion. Hence the Weak Axiom of Realizability is satisfied. | 

The Law of Discreteness has two immediate consequences for the primitive orderings. 

Law of Discreteness in the Activation Ordering. IfC is a chain of events in the activation ordering 
from e t to e 2 , then C is finite. 

Law of Discreteness in an Arrival Ordering. For all events e { and e 2 such that T(e i) = T(e 2 ) = 
a, { e | ei — arr„-> e —arr u -> e< 2 } is finite. 

The first two parts of the following independence theorem are essentially the same as Theorem 2 
of §5. 

Theorem 3. The Weak Axiom of Realizability is stronger than the conjunction of 

1. All the laws in this and the previous section except for the Law of Strict Causality. 

2. All the laws in this and the previous section except for the Law of C ountability. 

3. All the laws in this and the previous section except for the Law of Discreteness, the Law of Finite 
Chains Between Events in the Combined Ordering, and the Law of Finite Predecession. 

The third part of this theorem is less obvious, and its proof will be deferred to the next section. It 
amounts to asserting that the Law of Finite Chains Between Events in the Combined Oideiing is 
independent of the corresponding laws on the activation and arrival orderings. In other words, local 
discreteness does not imply global discreteness. Hewitt and Baker conjectured that adding additional 
local laws, which they called locality laws, sufficed to derive tine Law of Finite Chains Between Events 
in die Combined Ordering from die corresponding local laws. 24 The next section is devoted to a 

counterexample. 

24 “Actors and Continuous Functionals”. 
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Figure 6. A counterexample to a conjecture by Hewitt and Baker. 

11 . 7 . A Strong Independence Result 

Figure 6 shows that finite predecession in the activation and arrival orderings does not imply 
discreteness in the combined ordering. Between any two events in the figure there exists a ditected 
finite path in the combined ordering. In particular, Ei —► for all i, so there are infinitely many 
events between £b and e x . In fact, all the events of the figure fall into the infinite chain 

Eo -+ Ei -> Eh -> £3 -* E 4 -> -► < -> e 4 -> ef 3 -* e 3 -* 4 e 2 -> < -> t\. 

This proves part 3 of ^Theorem 3 of the last section. 

Consider the finite “top sections” obtained by restricting the diagram in Figure 6 to the events 

{Ei | i < n}(J{e; I » < »} (Jt I * < 

for integers n. While the figure as a whole fails to satisfy the Weak Axiom of Realizability, each top 
section satisfies the strong Axiom of Realizability and is thus a valid actor event diagram. Not only 


42 



are the top sections formally acceptable, but they are physically possible as well. Even supposing that 
the message of ci is sent before the message of e 2 (which is not implied by the fact that their activators 
occur in that order), it is entirely possible for event e 2 to occur before e Y . That is because messages 
being sent over computer networks are subject to variable delays from varying route choices and 
processor loads. While the larger top sections are not very probable, they are still possible. The entire 
figure is quite impossible, however, instead of being possible with probability zero as extrapolation 

would suggest. 

Figure 6 is the basis for a counterexample to the conjecture that discreteness follows from dis¬ 
creteness in the activation and arrival orderings together with the locality laws discussed in Chapter 
IV 25 mi t hat needs to be shown is that acquaintances and creation events can be assigned so that the 
locality laws are fulfilled. Logically that should await the definition of the locality laws in terms of the 
structure (E, A, T, —act-*, Arr) and new objects acq, A 0 , and creation. Illogically it appears here as 
the proof of a theorem asserting independence of the ordering laws Irom the locality laws. 

Theorem 1. There exists a structure 

(E, A, T, — act Arr, acq, A 0 , creation) 

of which the Law of Finite Chains in the Combined Ordering is not true, but for which all of the 

following hold. 

1. E is the set of events. 

2. A is the set of actors. 

3. T is the target function :E —* A. 

I _ act—* is the activation ordering, an irreflexive partial order on E such that no event has more 

than one immediate predecessor. 

5. Arr is the set of arrival orderings, a set of irreflexive linear orders —arr 0 -> on T~ l (a), for 

aE A. 

6. acq is the acquaintance function:^ —> finite-subsets(A). 

7. A 0 is the set of primeval actors. 

25 t Icwitt and Baker, “Actors and continuous functionals” 
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8. creation is the creation function:(\ — Ao) —*■ E. 


9. The Law of Strict Causality. 

10. The Law of Countability. 

11. The Law of Finite Predecession in the Activation Ordering. 

12. The Law of Finite Predecession in an Arrival Ordering. 

13. All the locality laws in Chapter IV. 

14. There is only one primeval actor. That is, Ao is a singleton. 

15. No event is the creation event for infinitely many actors. That is, Ve £ E { a E A | 
creation(a) — e } is finite. 2 ® 

16. No actor ever has more than two acquaintances. That is, Ve 6 E acq(e) contains at most two 

07 

actors. 

17. There is an initial event preceding all other events in the activation ordering?* 

18. No event activates infinitely many events 29 
Proof. The events are, as in Figure 6, 

E = {£i I i > 0} Ut I * ^ 1 > Lit I * 2:1 >• 

Of course this is just a set of names. Let 


A = {cii | i > 0 } 

be the set of actors, also a set of names. The target function is defined by 

T{Ei) = ao, i > 0; 

T(ei) —■ a it i > 1; 

T(e') = a if i> 1. 

26 This was a law in “Actors and continuous functionals”. 

27 Baker, “Actor systems for real-time computation”, required that the number of acquaintances of an actor be bounded. 
28'fhis w as postulated for simplicity in Hewitt and Baker, “laws for communicating parallel processes . 

29 This was a law in “Actors and continuous functionals”. 
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The activation ordering is defined by 

Ei — act-* Ej, 0 <i<j\ 

Ei — act — + ej, 0 < i < j, j > 1 ; 

Ej — act— ► e'j, 0 < i < j + l,i > lj 
e l+ i —act -4 e 7 -, i > 1. 

The arrival orderings — arr ai ~ di E A, are defined by 

Ei —arr UQ -+ Ej, 0 <i <j) 
e'i — arr ai —> ei, i> 1 . 

The acquaintance function is defined by 

acq(Eo) = { oo }; 
acq(Ei) = { ao, di }, i > 1; 
acq(ei) = 0, i > 1; 
ac(?(e') = 0 , i > 1. 

The only primeval actor is «*,, so A„ = { «o }. The other actors are created in the course of computa- 
tion, and their creation events are defined by 

creation(ai ) = Ei— i, i > 1- 

The structure so defined confirms the claims of the theorem. | 

Describing this pseudo-computation informally, there is only one actor ao that exists at the 
beginning. The initial event £b tells it to begin. It then creates oi and sends a message to itself. When 
that message arrives in event Et, it creates a 2 , sends a message to a 2 telling it about a lf forgets about 
ai , and sends another message to itself. When that message arrives in event E 2 , it creates o 3 , sends 
a message to a 3 telling it about a 2 , forgets about a 2 , and sends another message to itself. In general, 
W hen a message from itself arrives in an event E u actor ao creates a i+ i, sends a message to a<+i 
telling a i+ i about a u forgets about a iy and sends another message to itself. It docs this forever, so the 

computation cannot terminate. 

Each created actor ai, i> 1, upon receiving a message naming an actor, sends a message to that 

actor. The content of the message is irrelevant. 

Figure 7 defines these actor behaviors using a toy programming language. 
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(master = acq initially [ ] 
inside 
accept [ ] 

(create ((slave » accept [ x ] 

if actorp(x) 

then send "ignore" to x 
else dummy)) 

(if equal [ acq [ ] ] 
then dummy 

else send acq to slave) ; 
change acq to slave) ; 
send [ ] to master) 


Figure 7. A program to illustrate the counterexample. 

It is possible for go’s message to to be slow, so that event E\ occurs, a 2 is created and receives 
the message about a lt and the message from a 2 arrives at a u all before a 0 ’s message arrives at 01 . In 
that way e[ can precede e { in the arrival ordering of a t . This scenario can occur at any number of 
actors, even infinitely many. Figure 7 shows it occurring at all actors, however, and that cannot be. 

Figure 7 can be seen to be impossible only when it is considered as a whole. This shows the 
“globalness” of the phenomenon, and that a truly global law, such as the Law of Discreteness, must be 

devised to take care of it. 

Upon learning of this counterexample, Professor Hewitt set the problem of finding a coun¬ 
terexample as an exercise for MIT subject 6.835. Valdis Berzins solved the exercise, finding a 
different, symmetric counterexample. 30 


11.8. Modifying a Proof 

One of the purposes of this chapter has been to relax unnecessary restrictions on the actor event 
diagrams. As noted at the end of §3, there is good reason to allow an event to activate infinitely many 
events. This was not allowed by Hewitt and Baker, partly because they wished to assume finite activa¬ 
tion in proofs, and partly for reasons mentioned at the end of §4. Having removed the assumption 

30 Valdis Berzins, “An independence result for actor laws”, MIT LCS Computation Structures Group Note 34, December 
1977. 
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of finite activation from Theorem 1 of §6, it is now time to remove that assumption from the main 

theorem of “Actors and continuous functionals”. 

Considerable notation and some definitions from that paper will be needed before proving the 

lemma that depended upon finite activation. 

Messages must be represented in some language, and have some kind of structure. For the 
purposes of this proof there are two sorts of messages, corresponding to two kinds of events. A request 

event is an event of the form 

[/ <— request-.a:, reply-to:c] 

which represents passing an argument * to the actor /, with instruction to send any result to a 
continuation actor c. A reply event is an event of the form 

[c +- reply :y] 

which represents the arrival of a result y at the continuation actor c. By convention, replies are 
responses to previous request events. 

Definition. If an event e v is of the form 

[... <— requestreply-to:c], 

e 2 is of the form 

[c <— reply:...], 

ei —ad-> e 2 , and for no event e of the same form ase 2 isei —act-* e — act e 2 true, then e 2 is said 
to be a reply to e\. 

A request event may have no replies, one reply, nineteen replies, or infinitely many replies. For a 
request event whose target is an actor that behaves as a procedure, however, there is at most one reply, 

by definition. 31 

For an event e let R(e) = { e } U( e ' I e e> } anc * ^( e ) = { e } IK ^ I ^ e )• 

3l Sce “Actors and continuous functionals”. 
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request: 0, reply-to: 
request: 1, reply-to: 

reply: 0] 

[d <- reply: 1] 


c] 

d] 


e — cont-* d 
d — cont —► d' 
-i e — cont—* d' 


Figure 8. The continuation ordering may not be transitive. 

Definition. Ife is a request event then the activity corresponding to e is 

R(e ) P|(1J{ L[ef) | e' is a reply to e }). 

Perhaps not all events in the activity corresponding to e actually contribute to answering the 
request e, but certainly all events that do contribute are in the activity. An activity may not be finite, 
because a request can have infinitely many replies. If a request has only finitely many replies, though, 
as is the case if its target is a procedure, then its activity is guaranteed to be finite by the Law of 

Discreteness. 

Definition. Ife and e' are events, e -* d, and there is some activity a such that e,d E a, then we 
saye — cont —* d. 

Although — cont —► is called die continuation ordering, it is not in general a true ordering because 
it may not be transitive. In Figure 8, e —conf-> d and d —cont-* c", but e —cont-* e" is not 
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true. The continuation ordering is transitive when restricted to activities corresponding to requests of 
a procedure, though, because by definition the activites of a procedure are properly nested. Note that 

-—cont-+ is a subrelation of the combined ordering — 

An actor that is a procedure and initiates the same activity, in the sense of die same messages 
with the same targets and the same relationships between events, whenever it is sent the same request 

is said to behave like a function. 

The definition of an immediate f-descendant in the first version of “Actors and continuous func- 
tionals” 32 contained a small but subtle error that was partially corrected in subsequent versions. 
The idea is that the immediate f-descendants of (x , y) E graph(/) are those (x r , y') E graph(/) 
that must be known in order to compute f{x) without recursing. As is often the case, the proof is 
correct because it depends on what the definition is supposed to be, not its formal specification. The 
definition below is supposed to be what the definition was supposed to be. 

Definition. Suppose an actor f behaves like a mathematical function, {x, y) E graph(/), and 
{x r , y') E graph(/). Then {x', y’) will be said to be an immediate f-descendant of(x , y) if there is some 

history off that has events e\ and e 2 of the form 

c \:[/ <— request: x, reply-to:...] 

e 2 :[/ <— request :x', reply-to:...] 

such that e 2 belongs to the activity initialed by ei (so that ei —cont-* e^) and it is not the case that 
there is an event e of the form 

e:[/+- requestreply-to:.. .] 

such that ei — cont —► e —cont -> e 2 . 

Definition. Suppose that (x, y) E graph(/). Then 

immcdiate-desccndant S/ ({x, y )) = {( x’, y') | (*', y') is an immediate f-descendant of {x, y) }. 

32 IFIP Working Conference on Formal Description of Programming Concepts, August 1977, 16.1-16.21. 

33 MJT LCS Technical Report 194, December 1977. 
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As an example, Hewitt and Baker give the following procedure. 


fib(n) — 

if n=l then 1 

if n=2 then 1 

if n>2 then fib(n-l)+fib(n-2). 

immediate-descendantSf ^((1,1)) — 0 
immediate-descendantSf j ^((2,1)) = 0 
immediate-descendantSf -j ^((3,2)) = {(1,1), (2,1)} 
immediate-descendants^ -j ^((5, 5)) = {(3, 2), (4, 3)} 

Now the only real use Hewitt and Baker make of the assumption of finite activation is in proving 
the following lemma. 

Lemma 1 . If an actor f behaves like a mathematical function and (x, y) E graph(/), then 
immediate-descendants/((a:, y)) is finite. 

Proof Let e\ be a request for the procedure / to compute the value f(x). That is, e\ is of the form 

ei:[/ +— request :x, reply-to :... ]. 

By the way Hewitt and Baker define “function” there can be at most one reply to this request. There 
is a reply, since (x, y) E graph(/), so call it e^. Since e\ has a unique reply, die activity initiated 
by ei is just {ei,e2 } U( e I e i e e 2 }• This set is finite by the Law of Discreteness, and so 
irnmediate-descendants/((z, y)) is finite by the definition. | 

The lemma thus remains true without the assumption of finite activation. As this lemma is die 
only place in its proof where Hewitt and Baker use finite activation, the dieorem to be stated below no 
longer depends upon that hypothesis. 

Definition. IfG is a set of input-output pairs, then 

D/(C) — { (x, y) | (x, y) E graph(/} and immediate-descendants/((a:, t/))CG}. 


50 




Theorem 2. (Hewitt and Baker.)' If an actor f behaves like a mathematical function, then Df is 
a continuous functional in the sense of Scott, and graph(/) is the limit ofDf beginning with the empty 
graph. Also graph (/) is the minimalfixed point of Df. 
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Chapter III 


Nondeterminism 


Is the universe deterministic? Regardless of the answer, there exist systems so complex that their 
unique future behavior cannot exactly be predicted in any practical sense. In practice such systems are 
considered nondeterministic. 

This chapter deals with die semantics of nondeterministic programming languages. The usual 
way of representing nondeterminism in a denotational fixed point semantics is by means of power 
domains, so called by analogy with power sets. Extending the power domain construction to apply 
to incomplete domains makes possible a power domain semantics for nondeterministic programming 
languages in which a fair merge can be written. 

III-1 - Nondeterminism can be Viewed as Incomplete Specification 

Abstraction is essential to understanding complex systems. One difference between good and 
bad programmers is that good programmers think in terms of the function performed by a program 
segment whereas bad programmers are likely to Uiink of the program segment as a sequence of steps. 
Programming language semantics seeks to provide abstract descriptions of program segments. 
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As part of the abstraction process, details are suppressed. One detail universally suppressed 
by programming language semantics is the amount of time required to do a particular thing, since 
it varies from implementation to implementation or even from moment to moment. As a result 
programming language semantics cannot always say exactly what the output of a program with con¬ 
currency will be, because the output may depend upon timing. Abstraction can therefore lead to 
nondeterminism. 

Nondeterminism can result from any incomplete specification of a programming language, 
whether deliberate as in the case of abstraction or accidental as in the case of oversight. Though the 
nondeterministic program given below is written in APL, it uses no special features of that language. 
Almost any popular programming language would have served. APL was chosen partly because it is 
simple, concise, and well-known, but the main reason is that an ambiguity in API/s order of evalua¬ 
tion went unrecognized for many years, the ambiguity created significant nondeterminism, and the 
ambiguity was of the sort that can be exploited through concurrency. 

Consider the program F00 defined by 

V RESULT «- F00 X 

[1] GLOBAL 4 - 0 

[2] RESULT +— (F X) + (G X) 

V 

which, given an argument X, sets the global 1 variable GLOBAL to 0 and then returns as its result the 
sum of F X and G X, where F and G are user defined “function” subprograms. If F and G do any 
significant computation at all, then the time required to execute F00 on a sequential machine is the 
sum of the execution times for F and G. For example, if F and G each take one minute to return their 
answers, then executing F00 takes two minutes. With the advent of multiprocessors capable of per¬ 
forming several independent computations concurrently, it has become feasible to consider evaluating 
F and G at the same time on separate processors, so that executing F00 might take as little as half the 
time required when only a single processor is used. 

This example suggests one of the speed gains possible through multiprocessing. The particular 

] In the sense that the memory location denoted by GLOBAL is accessible to subprograms invoiced by F00. The example 
is indifferent to the question of whether the memory location can be directly accessed by all hardware processors. 
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speedup illustrated is possible any time that two or more arguments to a function each require 
significant time to evaluate. Devotees of largely functional languages such as Lisp and APL perceive 

this to be of profound importance for the design of languages intended for execution on multiproces* 
sors . 2 

Nondeterminism often accompanies this and many other techniques for concurrency. That is, 
the outcome of a piogram may no longer be completely determined. Nondeterminism may or may 
not affect the usefulness or correctness of a program. Consider, for example, a program that conducts 
a parallel search for a proof of or a counterexample to the Goldbach conjecture. It does not matter 
which particular proof or counterexample is first found. While some programs must be deterministic 
to be correct, nondeterminism has a role in artificial intelligence programs and programs such as 
operating systems that depend on inputs presented at unpredictable times. 

Even so simple a program as F00 can be nondeterministic. Suppose the subprograms F and G 
invoked by F00 are defined as follows. 

V RESULT <— F X 

[1] RESULT 4 - GLOBAL 

[2] GLOBAL +- 1 

V 

V RESULT <— G X 

[1] RESULT GLOBAL 

[2] GLOBAL 4- 1 

V 

Aside from their names, these programs are identical. Each reads the global variable GLOBAL and, 
after setting GLOBAL to 1, returns the value read as its result. 

On a sequential machine, these definitions cause F00 to evaluate to 1 (regardless of the value of 
X). Here is what happens. First F00 sets GLOBAL to 0. Then, in line 2 of FOO, G is invoked with X 
as its argument . 3 G reads the global variable GLOBAL, finds its value to be 0, sets GLOBAL to 1, and 

returns 0 as its result. Then F is invoked with argument X. F reads GLOBAL, finds its value to be 1, sets 

2 See for example Friedman and Wise, “Aspects of applicative programming for parallel processing” IEEE Transactions 
on Computers 027, 4, April 1978, pages 289-296. 

3 Since APL as now defined evaluates right-most arguments first. 
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GLOBAL to 1, and returns 1 as its result. F00 then sums the resulLs of F and G to obtain its result: 1. 
On an interactive APL terminal: 

X f- 297 (or other arbitrary value) 

FOO X 

1 

Were F X and G X to be evaluated in parallel on a multiprocessor, FOO X might sometimes 
return 0 instead of 1. The reason is that F and G might both read the global variable GLOBAL before 
the second line of either subprogram had been executed to set GLOBAL to 1. Thus both F and G might 
return 0 as their result. On an APL, terminal: 

FOO X 

0 

would be possible as well as 

FOO X 

1 


A given multiprocessor implementation might consistently return a particular one of these two 
possible results. Nonetheless the program must be regarded as nondeterministic, since tire program 
itself does not determine a unique answer; only when the program is paired with an implementation 
can the result be determined. Indeed the result may not be determined even then, since die result may 
be affected by dynamically changing conditions within the multiprocessor. Lor example, the number 
of processors available to a computation can change in response to resource requests by concurrent 

computations. 

Thus parallel evaluation of arguments can lead to nondeterminism because the order in which 
events occur in global time is left incompletely specified. Were the semantics of a program to deter¬ 
mine completely the order of events in global time, the program would be sequential; it is when 
the semantics least constrains the order of events that there exist the greatest opportunities for paral¬ 
lelism. Opportunities for parallelism therefore arise from a kind of semantic ambiguity regarding the 
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order of events in global time. Until recently, for example, the (informal) semantics of APL did not 
prescribe a definite order of evaluation of expressions, so that some APL implementations evaluated 

the expression 

X - (X <- X - 1) 

from left to right and obtained 1, while other equally correct APL implementations evaluated from 
right to left and obtained 0. 4 Had a multiprocessor implementation of APL existed, it could have 
evaluated the subexpressions X and (X *— X - l)in parallel, obtaining0 on some occasions and 1 
on others. This ambiguity in the semantics of APL has now been fixed by the adoption of a standard 
order of evaluation, but the remedy precludes the parallel evaluation of arguments that was allowed 
by the ambiguity of the old semantics. 

What if the programmer intends a program to be deterministic? Then the programmer must 
arrange for the sequence-sensitive portions of the program to be executed in a definite order. F00, for 
example, could be rewritten as 

V RESULT <- F002 X; L0CAL1; L0CAL2 

[1] GLOBAL <- 0 

[2] L0CAL1 <- F X 

[3] L0CAL2 +— G X 

[4] RESULT <- L0CAL1 + L0CAL2 

V 

using local variables to hold the results of evaluating F X and G X. F002 is deterministic even when 
function arguments are evaluated in parallel. Remember that the possibility of evaluating arguments 
in parallel was not considered when the APL language was designed, and even so the only leason F 
and G cause problems when evaluated in parallel is that each assigns to a global variable referenced 
by the other. Most well-written subprograms have no such side effects. In a language designed 
specifically for concurrency, troublesome side effects could be expected to be even rarer. 

Not only is some incompleteness in specifying the order of events in global time desirable be¬ 
cause it allows concurrency, but it is necessary when concurrency is allowed. For a piogramming 

4 Richard II Ialhwcll, “Some implications of APL order-of-execution rules”, APL79, APL Quote Quad 9, 4-Part 1, June 
1979, pages 329-332. 
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language semantics to specify completely the order in which events are to occur during multiprocessor 
execution of a concurrent program is generally impossible, since it would entail fixing myriad details 
such as tlie number and relative speeds of concurrent processors, the exact times of and delays occa¬ 
sioned by page faults and other interrupts, the timing of signals between processors and the manner 
in which they are arbitrated, and so on, down to the levels of time resolution at which quantum 
indeterminacy becomes important. 

Except for two general requirements, the actor model specifies none of these timing details. The 
first requirement is that in keeping with the idea of actors as independent computational agents each 
actor has the computing energy 5 it needs to process messages sent to it. The second requirement is 
that every message eventually arrives at its target, a requirement known as finite delay. These require¬ 
ments leave much unsaid about the order of events in an actor s arrival ordering. Ihe nondetciminism 

that results will be called arrival nondeterminism. 

Arrival nondeterminism is similar to the notion of global nondeterminism introduced by Francez 
el al for the programming language CSP, 6 but §8 points out an important difference. The local 
nondeterminism of CSP is a form of the choice nondeterminism discussed below. 

Choice nondeterminism arises from the presence of choice points within a program, where an 

implementation is allowed to choose the program s flow of control at random from among a finite 

set of alternatives. The implementation does not have to make the choice randomly, but it may. 

Dijkstra’s guarded commands are examples of such choice points. Although choice points permit 

concurrency, they have the defect of permitting random choice as well. Choice points aic of interest in 

this dissertation only because they arc often used to model the nondeterminism that accompanies con 

currency. Nondcterministic concurrency differs from random choice, but using choice points to model 

nondetcrministic concurrency reduces the problem of providing a semantics for nondcterministic 

concurrent programs to the problem of generalizing the existing theory of semantics for sequential 

programs to handle choice points. It is then important to remember that in this context choice points 

5 Computing energy is computing power integrated over time. If several actors share time on a single piocessor, for 
example, an actor’s computing energy is the computing power of the processor multiplied by the lime that the actor 

actually uses the processor. 

e Nissitn Francez, CAR Iloare, Daniel J Lehmann, and Willem P de Roever, “Semantics of nondeterminism, concurrency, 
and communication”, J Computer and System Sciences 19, 1979, pages 190-308. 
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are only an attempt to model concurrency. If theories of sequential programs with choice points turn 
out to produce different conclusions about concurrent programs than theories based directly upon 
true concurrency, then the idea that concurrency can be modelled by choice points must yield. That 
has turned out to be the case. Considering concurrency directly leads to regarding some programs as 
unboundedly nondeterminislic , but it can be shown that no sequential program with random choice 
points is unboundedly nondeterministic. 

Unbounded (infinite) nondeterminism is a property of programs that on some fixed input are 
certain to return an answer, but the set of possible answers is infinite. Unbounded nondeterminism 
will be considered at some length in §7 and §8, but its present importance is that a plausible theory of 
semantics for concurrent computation must differ from a theory of semantics for sequential programs 

with choice points. 

The next three sections present the mathematical foundation underlying a theory of semantics 
for concurrent computation. 

III.2. Fixed Point Semantics 

The denotational theory of programming language semantics is concerned with finding mathe¬ 
matical objects that represent what a program does. Examples of such objects arc partial functions, 
sequences of states, and actor event diagrams. Usually there is a partial ordering < on these objects 
with x <C y meaning that x is compatible with but possibly less defined than y. In other words, x 
approximates y. If the objects are partial functions, for example, / < g may mean that / agrees with 
g on all values for which / is defined. If the objects are actor event diagrams, x <y means a; is a 
possible initial history 7 of y. The object representing a program P is found by solving an equation of 
the form x = fp (z). T his section suites conditions guaranteeing a solution to that equation. 

Let (D, <) be a partially ordered set, and let A be a subset oW. a E A is a minimal clement of 
A iff A contains no elements below a . That is, 

\/x G A x <a =* x — a. 

7 See §IV.3. 
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a e A is a least element o f A iff a lies below every other element of/4. That is. 


Vx G /l a < x. 

Maximal and greatest elements are defined dually. 

An upper bound for A CD is an element u E D such that 

Vx E A x < u. 

A least upper bound for A CZ D is an upper bound that is least in the set of upper bounds for A in 
D. (Least upper bounds are sometimes called limits, because they are a special case of colimits in 
category theory; there is also a To topology on D in which the least upper bound of an incieasing 
sequence is a limit of the sequence in the topological sense.) In general, a set may not have upper 
bounds, and a set may have upper bounds but no least upper bound. Examples are the rationals Q 
under the usual ordering, and the negative rationals as a subset of ID = Q { 0 }. If a set has a least 
upper bound, though, it has exactly one. The least upper bound of A C D will be written \J X eA x or 
V A, except that C and U will sometimes be used in place of < and V- 

A set A C D is directed iff every pair of elements of A has an upper bound in A. It then follows 
that every finite subset of A has an upper bound in A. These upper bounds need not be least. For 
example, suppose D is the power set of the natural numbers w ordered by inclusion. Then the set of 
all finite subsets of u is directed, as is the three clement set consisting of { 0 }, { 1}, and w. 

Let (D, <) and (D 7 , < ; ) be partially ordered sets. A function f:D & is mono tonic iff it 
preserves order, so that Vx, y ED 


x < y => f{x) <f f[y). 

f is u)-continuous iff it is monotonic and preserves all existing least upper bounds of countable increas¬ 
ing sequences, so that if { x,- } ieu) is a sequence in D with x { < x; +J for all t G w then 

aV***) = VC>-)- 
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(Equivalently, / is w-continuous if it preserves least upper bounds of countable directed sets.) Note 
that this definition does not presume that all countable increasing sequences have least upper bounds, 
but states only that / preserves those least upper bounds that exist. 

(D, <) is ^-complete iff every countable increasing sequence (equivalently every countable 
directed set) has a least upper bound in D. That is, if for all i E u G D and x { < ac f+1 , then 
Vie,,** exists. 

Now suppose (D, <) has a least element _L and is ca-complete. Then every ca-continuous 
function f :D -> D has a fixed point given by V iGw / Z (-L), and furthermore this fixed point is least 
among all fixed points of /. 

This is the most basic fact of fixed point semantics. Typically D is a set of possible meanings 
for programs, such as a set of partial functions from inputs to outputs, ordered according to some 
approximation ordering. The semantics of a programming language defines for each program P a 
continuous function f P :D -> D. The program P is then said to denote the least fixed point of its 
associated continuous function fp. The domain D must be ca-complete to ensure that the least fixed 
point exists. 

For more information on fixed point semantics, readers should consult the tutorial article by 
Tennent, 8 the textbook by Stoy, 9 or the comprehensive volumes of Milne and Strachey. 10 These 
references deal only with fixed point semantics on lattices, however, while we must consider more 
general partial orders, 

III.3. Domains and Their Completions 

Usually there is an intuitive sense in which some elements of the partially ordered sets con¬ 
sidered by fixed point semantics are finite. They may be partial functions defined for only finitely 
8 R D Tennent, “The denotational semantics of programming languages”, CACM 19, 8, August 1976, pages 437-453, 

’Joseph E Stoy, Denotational Semantics: The Scott-Strachey Approach to Programming Language Semantics, MIT Press 
Cambridge MA, 1977. 

"’Robert Milne and Christopher Strachey, A Theory of Programming Language Semantics, Chapman and Hall Condon 
1976. 
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z ^ y 


• 4 

A 

D = {0,l,2,3,...}U{^,y} 

A 

iCj if i < j 


tCi 

<> 2 

A 

iCy 

o 1 


A 


o0 



Figure 1. A partial order in which every element is isolated. 
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D = { 0, 1 , 2 , 3,...} (J{ O', 1 ', 2', 3',. • •} U{ 2 } 

iCj if i< j 
i ' C / if i < j 

iCi 

i'Cz 


Figure 2. A partial order in which no element is isolated. 


many values, for example, or they may be finite partial computations. This sense of finitencss lies 
behind the following abstract definition. 

Let (D, <) be a partially ordered set. An element x £ D is isolated iff whenever A C D is 
directed, V A exists, and x <\/ A, there exists a£A with x < a. In other words, x is isolated if one 
must go through x in order to get up to or above x via the limit process. As examples, the finite sets 
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are the isolated elements of the power set of a? ordered by inclusion; the ordinal ca -f* 1 is isolated in 
the set of countable ordinals under the usual ordering; in the partial order of Figure 1, every element 
is isolated, while in the partial order of Figure 2 no elements are isolated. 

The least clement of a partially ordered set is always isolated provided it exists. 0 is the least 
element of the nonnegative rationals under the usual ordering, and it is also the only isolated element. 
The entire set of rationals has no isolated elements under the usual ordering. 

For purposes of programming language semantics, partially ordered sets with least elements 
form too general a category. The partially ordered sets of greatest interest for computer science are 
those whose isolated elements are dense in the sense that every clement is a least upper bound of a 
countable set of isolated elements. To avoid transfinite inductions, and to make directed completeness 
equivalent to ^-completeness, it is convenient to assume also that there are only countably many 
isolated elements. 

Definition. A domain is a partially ordered set (D, <) such that 

\ 

1. D has a least element _L. 

2. Every element of D is the least upper bound of a countable increasing sequence of isolated 
elements. 

3. The isolated elements ofD are countable. 

This definition is nonstandard. The standard definition requires also that D be ca-complete, so 
that w-continuous functions from D to D will have fixed points. 

An cu-complete domain is complete in the sense that every directed subset has a least upper 
bound. An ia-complete domain is also known as a countably algebraic complete partial order. 11 

Every domain D can be embedded in an cu-complete domain D that is, in a precise sense, the 

smallest ca-complcte domain containing D. The isolated elements of D are precisely the isolated 

elements of D, 12 but in general D contains limit points that are not found in D. D is uniquely 
ll M B Smyth, “Power domains”, J Computer and System Sciences 16, 1978, pages 23-36. 

,2 IIence D difTers from completions that _do not preserve least upper bounds, such as the basis completion (Markowsky 
and Rosen) and Bloom’s tu-complelion. D is isomorphic to the basis completion of { x Cz D \ x is isolated in D }. 
See G Markowsky and B K Rosen, “Bases for chain-complete posets”, IBM J Research and Development 20, 2, March 
1976, pages 138-147, Stephen L Bloom, “Varieties of ordered algebras”, J Computer and System Sciences 13, 2, October 
1976, pages 200-212, and Daniel Lehmann, “On the algebra of order”, J Computer and System Sciences 21, 1, August 
1980, pages 1-23. 


62 




Figure 3. A domain and its w-completion. 

determined up to isomorphism, and is called the to-completion, or simply the completion, of D. It 
will be shown that for any domain D the power domain of D is isomorphic to the power domain of 
its completion D. Then why not use ca-complete domains only, as is standard? Because the power 
domain is interpreted with reference to the domain from which it is built. As will be explained in §5, 
the underlying domain is incomplete in actor semantics. 

At this point readers may wish to read the definition of the closure operation c on the next page 
and then skip to §4. The remainder of this section shows how D may be constructed, and proves the 
facts mentioned above. 

As an aid to understanding the concrete construction ofD that follows, consider the domain 

<{ 0,1,2,3,... } (J{ w } (Jt 1', 2', 3',...}, P 

where 

i [Z j if i < j 

i' [Z / if i < j 

i [Z j' if i < j 

iCw 
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to • • u/ 

t t 

4' 

3' 

2 ' 

1' 

0 ' 

Figure 4. An incomplete domain. 

This domain is pictured in Figure 3, along with its intuitive completion. Figure 4 shows why to must 
be less than u/. The domain in Figure 4 is incomplete because the increasing sequence {i } iEw has uo 
andu/ as its upper bounds, but neither is least. 

Let ( D , <) be a domain. 

Definition. The closure of A Cl D is 

A c = {dGD\3XQD, X directed, d = \JX, andVx G X 3a E A x < a}. 


4 •- 


3 l 


2 i 


1 i 


0 i 
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Lemma 1. If a, b G D are isolated and have an upper bound d, then they have an isolated upper 
boundc such that c <.d. 

Proof Let be an increasing sequence of isolated elements with \/ ieu) di = d. 

{ d{ | i G oj } is directed, so there exist d; and dj with a <d t and b < dj. Let k = max{ i, j } and 
c = d k . | 

Lemma 2. IfY C D is directed, andx = \J Y, then there exists a directed set Z, consisting solely 
of isolated elements, such that 

x = \JZ 
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and 


Vz E Z By E Y z < y. 


Proof. For y E Y let Z y be a directed set of isolated elements with y = \J Z y , and let 

Z=\JZy 

y<EY 

It is clear thatZ consists of isolated elements, and that Vz E Z 3y E Y z < y. 

Let-zi,^ E Z, and let y\, yi E Y be such that 21 E 'Zyi and zi E Zyi- Let 1/3 E F be an upper 
bound for yi and ?£, and hence for z\ and z^. By Lemma 1 there exists an isolated z & D such that 
zi, Z 2 < z < y 3 = V Let Z 3 E Z y3 be such that z < Z 3 .Z 3 is an upper bound for zi and z% in Z, 
so Z is directed. 

Clearly x is an upper bound for Z. 

Let x' be an upper bound for Z.x' is an upper bound for each Z y , so y — \J Z y < xf. Thus x! is 
an upper bound for Y, whence x = \J Y < x'. Therefore x is the least upper bound of Z. | 

Lemma 3. The map c is a closure operator on the power set ofD. 

Proof. If A C B, then A c C B c . Also A C A c . 

To show ( A c ) c — A c , let x E {A c ) c . A c is downward-closed. That is, if a E A c and x <. a then 
x E A c . Therefore there exists a directed set Y C A c with x — \JY. Let Z be a directed set of 
isolated elements with x = \J Z and Z C A c . 

Let 2 E Z. Since z E A c there exists a directed set W such that z = \J W and Via E 
W 3a E A w < a. Since is isolated there is some w E W with z <. w. Hence there exists a E A 
such that z <. a. 

Z is directed, x — \j Z, and V 2 E Z 3a E A z < a. Consequently x EA c . | 

Note that A c is downward-closed and is closed under existing least upper bounds in D of 
directed subsets. 
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Definition. Let(D, <) be a domain with least element J_. Its completion is(D, Cl), where 


and for all A, B G D 


D — { A c | _L G A C D, A directed } 


AOB <=> A OB. 


This makes D a partial order. Generally (D, Cl} is not a lattice. 

Lemma 4. If A G D andx, y G A are isolated, then x and y have an isolated upper bound z G A. 
Proof Let Aq C D be directed with Aq = A. Let x = \j X where X is directed and 
Vm G X 3a G Aq w < a. Since x is isolated, x G X. Thus there exists x' G Aq with x < x'. 
Similarly there exists f G Aq with y < y'. Let z' G /4o be an upper bound for x' and \f. Let 2 be an 
isolated upper bound fora: and y wither < z f . z G A since z' G A and/4 is downward-closed. | 

Lemma 5. Let A G D, and letAo be the set of isolated elements of A. /4o is directed, and A g = A. 
Proof Immediate from Lemma 4 and the fact that every element of JO is a least upper bound of 
isolated elements. | 

Theorem 6. IfX C D is directed, then X has a least upper bound in D given by 

U* = <U*) C - 


Proof It suffices to show that (1J X) c G D, which requires finding a directed Y C D with 
Y c = (U X) c . 

For/l G X, let Y A be die set of isolated elements of A. Each Y A is directed, and Y C A — A. 

Since X is directed in D, U, e * r A is directed in D. Clearly ^aO{}X, so 

t u y ->) c £ (U x y- 

aex 

Let X G (U XY , with x — \j Z' where Z' is directed and Z' C \JX. By Lemma 2 there 
exists a directed set Z C (J^ consisting solely of isolated elements such that x — \J Z. Since 

z £ \J Aex Ya, x e (U /le x Ya) c - 

Therefore (|J \ Aex Ya) c = (U X) c . and (|J Xf G D. | 
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Hence (D, C) is a complete partial order. 

D may be regarded as a subset of D via the continuous injection x given by x ^ x where 
x = {d E D \ d ■< x). From Lemma 5 it can be seen that 

A= \J x 

xGA 

x isolated 

for any A ED. The following theorem thus completes a proof thatD is an w-complete domain with 
least element { X }. 

Theorem 7. The isolated elements ofD are precisely the images x of isolated elements x in D. 

Proof Let x be isolated in D, and let X C D be directed with 

5 = {y|y< I }ClJX. 


By Theorem 6 x E (U ^) c > so let Y C (J X be directed with x = V Y. x is isolated, so x E Y. Thus 
x E A for some/l E X. For that/4, TULA. Therefore x is isolated in£>. 

Conversely, let A ED be isolated. Let { ± = bo, b h b 2) .. . } be the isolated elements of D. 
Define an increasing sequence { } iGu} in D by 


Xi 


xq = b 0 = ± 

X{ |— 1 A , 

bk ^ A, 


*‘+i 


where k = pn[b i+ 1 < b n A x t < b n A b n E A]. The isolated elements of A are directed, 
and Xi E A, so k is defined whenever E A. For every isolated y E A there exists k such that 
y < xk. Since A = ({ y E A \ y isolated }) c , A == LII * e w } is directed since { x { } is 
increasing. Therefore A — 5* for some i. 9 


That £) is the unique completion of D is guaranteed by a universal mapping property. 13 This 
universal property is hardly more than a paraphrase of a theorem on finitary categories by Smyth and 
Plotkin. 14 

13 Saundcrs MacUnc, Categories for the Working Mathematician, Springer-Vcrlag, New York, 1971. 

th 

h M B Smyth and G D Plotkin, “The category-Uieoretic solution of recursive domain equations”, Proceedings 18 
Annual 1H1T Symposium on Foundations of Computer Science, 1977, pages 13-17. 
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Theorem 8. If E is an uo-complete domain, and f'.D ► E is to-continuous, then there exists a 
unique w -continuous map g:D -> E making the diagram below commute. 

f 

D - >E 

x 

D 

In other words, any continuous map / from D to E factors uniquely through D\ f -- q ox. 
This means that any w-complete domain containing D also contains D, so that D is the smallest u>- 
completion of D. Furthermore any ia-complete domain with this property is isomorphic to D via a 
unique isomorphism. 



III.4. The Power Domain 


The idea of power domains is that a nondetcrministic function may be described as a determinis¬ 
tic set-valued function, where the set contains all values the nondetcrministic function can take for the 
given argument. Consider, for example, the program 


V RESULT F00 X 

[1] GLOBAL +- 0 

[2] RESULT «— (F X) + (G X) 

V 

V RESULT +— F X 

[1] RESULT <- GLOBAL 

[2] GLOBAL <- 1 

V 

V RESULT f- G X 

[1] RESULT 4-- GLOBAL 

[2] GLOBAL 4 - 1 

V 
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_L 

Figure 5. N, the flat domain of natural numbers. 

defined in §1. When the subprograms F and G are evaluated in parallel on a multiprocessor, F00 can 
map its input to either 0 or 1. This behavior can be described by 

* »-» {0,1}, 

and this is the best description of FOO’s input-output behavior possible when arguments are evaluated 
in parallel. 

Since fixed point semantics works by generating a sequence of ever-better approximations to the 
meaning of a program, some ordering CZ must be placed on sets of values so that A [Z B means that 
B is at least as good an approximation as A. The values will be drawn from some domain (D, <). 

One of the simplest domains is the flat domain of natural numbers (N, <), where N = 
{ _L, 0,1, 2,3,... } and x < y iff x — y or x = _L. (Note that < is not the usual ordering on 
N.) This domain is pictured in Figure 5. Suppose for simplicity that APL programs can return only 
nonnegative integers as values, so that the output of FOO lies in N. As already noted, the possible 
outputs of FOO when arguments are evaluated in parallel are best described by the set 

{0,1}. 

Which subsets of N should count as approximations to this set? There are at least three reasonable 
answers. To each answer there corresponds a way of interpreting sets, and to each interpretation there 
corresponds a preorder. The three preorders we will consider are written Co, CZi, and 

One approach is to interpret a set as including a description of every possible output value. Not 
every element of the set has to describe an output value, but every output value has to be described by 
an clement of the set. In this approach N and { 0,1, 2 } both approximate { 0,1 }, but { 0,1, 2 } is a 
more refined approximation than N: 

NCo{0,l,2}C o {0,l}. 
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{ 0,1,3 } is an example of an approximation to { 0,1} that is incomparable with { 0,1, 2 }. For 
general domains this approximation ordering is given for A, BQD by 

A [Zo B <=> \/y Q B 3x G A x < y. 

As is true also of the next two approximation orderings, E 0 is in general only a preorder. In 
the case of C 0 , {1} EoDCo {l}. Eo is the Smyth ordering, and yields a so-called weak 
power domain. 15 It has been used to give a semantics for a model of concurrency based on message 
passing. 18 

Another approach is to interpret a set as giving descriptions of some possible output values. Not 
every possible output value has to be described by an element of the set, but every element of the set 
has to describe an output value. In this approach { J_ } and { 0 } both approximate { 0,1}, but { 0 } 
is a more refined approximation that { J_ }: 

{_L}C 1 {0}C 1 {0,1}. 

{1} is an example of an approximation to { 0,1} that is incomparable with { 0 }. For general 
domains this approximation ordering is given for A, 5CDby 

A Eli B <=> \fx G A 3y £ B x <C y. 

In tliis ordering approximations build up to a limit, while in the Smyth ordering approximations nar¬ 
row down to a limit. In other words, Eli corresponds to a generative approach while E 0 corresponds 
to a restrictive approach. Ei also gives rise to a weak power domain, and has been used in the theory 
of Petri nets. 17 The actor semantics presented in the next chapter will use jZi. 

Historically, the first appioach was to interpret a set in both of the preceding ways. For flat 
domains such as N the Egli-Milner ordering was defined by 

^ —E-M B <=> (_L0AAA=£) 

V (_L G A A (A — { _L }) C B). 

,5 M B Smyth, “Power domains”. 

16 George Milne and Robin Milner, “Concurrent processes and their syntax”, JACM 26, 2, April 1979, pages 302-321. 

Mogeus Nielsen, Gordon Plotkin. and Glynn Winskcl, “Petri nets, event structures and domains” in Semantics of 
Concurrent Commputation, Springer-Verlag Lecture Notes in Computer Science 70, 1979, pages 266-284. 
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Gordon Plotkin generalized to arbitrary domains by the definition 18 


^ — E-M^ *=* /4C 0 BAi4Ci5. 

In this approach { _L } and { J_, 0 } both approximate { 0,1}, but { J_, 0 } is a more refined ap¬ 
proximation than {_L }: 

{ -L } E=E-M ( -L> ® } Ee-M { ^> 1 }• 

{ _L, I} is an example of an approximation to { 0,1} that is incomparable with { _L, 0 }. The 
Egli Milnei oideiing has been used to give a semantics for Communicating Sequential Processes, a 
language based on message passing. 19 

Each of the three preorders, CIo, [Zi, and Ee-M’ r ^ se t0 a power domain construction 
applicable to any w-complete partial order having a least element. 20 But for the need to solve recur¬ 
sive domain equations involving power domains, at least the first two of these constructions could be 
extended to incomplete domains as well. In the actor semantics presented in Chapter IV there is no 
need to solve recursive domain equations involving the power domain. Furthermore the domain of 
augmented event diagrams, from which the actor power domain is to be built, is naturally incomplete. 
The remainder of this section therefore defines power domains for all domains, complete or incom¬ 
plete, and shows that for an incomplete domain D the power domain so defined is isomorphic to the 
conventionally defined power domain of its ca-completion D. 

Michael Smyth has given a succinct characterization of conventional power domains, which we 

will now review. He points out that the simplest way to build a power domain is first to decide 

what is to count as a finite piece of information about the result of a computation, and then to place 

an approximation ordering on the finite pieces of infonnation. The power domain then becomes the 

essentially unique completion of the partial order so defined. 

G D Plotkin, A powerdomain construction”, SIAM J Computing 5, 3, September 1976, pages 452-487 

Nissim Lrancez, C A R lloare, Daniel .1 Ichmann, and Willem P dc Roever, “Semantics of nondeterminism, concurrency 
and communication”, J Computer and System Sciences 19, J979, pages 290-308. 

J°M C B Ilcnnessy and G D Plotkin, “l ull abstraction for a simple parallel programming language” POCS-79 Sprineer- 
Verlag Lecture Notes in Computer Science 74, 1979. ’ ’ b 

21 M R Smyth, “Power domains.” 
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Let ( D, <) be a domain. In the most commonly encountered domains, isolated elements 
represent finite chunks of information in D, and indeed the term “finite” is often used in place of 
“isolated”. A finite piece of information should therefore be a nonempty finite set of isolated elements 
from D. Smyth preordered these sets using EZ 0 and Cp.^, but we will use Cj, so that a nonempty 
finite set of isolated elements ACID is interpreted to mean 

VaG/4 3r€i?a<r 

where R is the actual set of values possible as the result of a nondeterministic program. Letting 
A =1 B iff A [Zj B and J3 CZj A, the equivalence classes of such sets under =4 are partially ordered 
by the quotient ordering Eli / = 1 . 

The equivalence classes can be avoided by dealing with distinguished representatives of them. 
Accordingly define the finite frontiers of D as 

F{D ) = {AC£)|Aisa nonempty finite set of isolated elements, and 

Vx,y £ A x <y => x = y}. 

A £ F{D) is called a frontier because each of its elements is both minimal and maximal in A. 
{ F(D ), CIi) is isomorphic to the set of equivalence classes under =i of nonempty finite sets of 
isolated elements of A ordered by Ci / =4. ( F(D), (Z t ) is a domain with least element { _L } in 
which every element is isolated. It therefore has an ^-completion (F(D), 1Z), which is the power 
domain, up to isomorphism. 

Observe that only the isolated elements of D matter to the construction. It is therefore irrelevant 
whether D is ca-complete. 

The following lemma characterizes the conventional power domain (F{D), LI). 

Lemma 1. S E F(D) if and only if both the following hold: 
l.S = {FCF{D)\F C:\JS}. 

2 - Ifs E\jS,x is isolated, andx < s, then x E U & 

Proof Since every element of F(D) is isolated, S E F(D) iff S is downward-closed and directed 
as a subset of F(D). 

Let S E Fjp). 
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Let s E U and let a; be isolated with x < s. There exists FES with s G F, and so by 
definition {a:} CjF. Therefore {i}G5 since S is downward-closed, whence x E U s. 

If F E S, then F E F(D) and F C |J S. Suppose F — { f 0 , ...,/„ } E F{D) with F C (J 5. 
Since 5 is downward-closed, { fc } G £ for i — 0, ..., n. Since S is directed, F = I * — 

0, ...,n} ES. 

Conversely, suppose S satisfies conditions 1 and 2 of the lemma. LetF],F 2 E S. Fi Ui F 2 C 
Fi |JF 2 C (JS, soFiUiF, G S and S is directed. Let F\ E S, and let F Eli F { . For every 
x E F there exists s E Fi with x < s. By condition 2 F C (J 5. By condition 1 FES. Thus S is 
downward-closed. Being downward-closed and directed, S E F(D). | 

A corollary of this lemma is that the least upper bound of an increasing sequence { Si in 
Fp) is given by \J i&> S { = U iGw S { . 

The concrete power domain that we will use is defined below. As will be shown, it is isomorphic 
to (F(D), p. 

The closure operation c was defined in §3. 

Definition. Let(D, <) be a domain. Its power domain is{P[D], CZ), where 

F[D] = {A c | 1G/1CD} 

and, forA,B E P[D], 

AH.B *=> AQB. 


In other words, P[D] is the collection of downward-closed subsets of D that are also closed under 
existing least upper bounds of directed sets in D. Note that while the ordering on P[D] is given by the 
subset relation, least upper bounds do not in general coincide with unions. 

For the actor event diagram domain D, an element of P[D] represents a list of possible initial 
histories of a computation. Since for elements x and y of D, x < y means that x is an initial segment 
of the initial history y, the requirement that elements of P[D] be downward-closed has a clear basis in 
intuition. 
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The next theorem gives several nice properties of the power domain. In particular, it is an w- 
complete domain, so ^-continuous functions have fixed points. 

Definition. A countably based continuous complete lattice is an ui-complete domain such that for 
any subset X of the domain both a least upper bound [J X and a greatest lower bound [~}X exists. 

Theorem 2. If (D, <) is a domain, then (P[D), Cl) is a countably based continuous complete 
lattice. 

Proof If X C P[D\, then \J X = (U X) c and HX = f\X. 

The isolated elements of P[D] are the closures of finite sets of isolated elements, that is sets of 
the form { xq, ..., x n } c where xq, ..., x n are isolated in D. To prove it, let xq, ..., x n be isolated 
and let X C P\D\ be directed with { xq ,..., x n } c C |J X. Since X{ £ (U X) c and x { is isolated, 
G Let Ai £ X have X{ as an element. Let A £ X be an upper bound for Ao,..., A n . 
{xo ,...,x n } c QA. 

Conversely, let ^4 £ P[D] be isolated and let { Xi \ i £ lo } be the isolated elements of A. Let 

X n — { x i | i n } . 

Then { X c n } n(Ew is an increasing sequence in P[D] and A = UnGu;^n> so f °r some n, A = X c n . 

I 


The following theorem says that at a certain level of abstraction P[D] is the same as the conven¬ 
tional power domain ofD. While P[D] will be used in the next chapter to give a semantics for actor- 
based programming languages with unbounded nondeterminism, however, the conventional power 
domain is usually considered incapable of expressing unbounded nondeterminism. This points out 
the importance of the concrete interpretation placed upon elements of the power domain. 

Theorem 3. lf(D, <) is a domain, then (P[D], fZ) is isomorphic lo {F{D), LI). 

Proof. Consider the map from F(D) to P[D\ given by F i-+ F c . This map is monotonic and is 
trivially continuous since F(D) has only isolated elements. By Theorem 8 of §3 there exists a unique 
continuous extension of this map with domain F(D). T his unique extension is ry. F(D) —► P[D] with 
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r / ( S) = (U S) c for all S £ F(D). It remains to be shown that 77 is one-to-one and onto and has a 
continuous inverse. 

(U s ) c is the same as (|J 5) except for non-isolated elements, so 77 is one-to-one by Lemma 1. If 
A £ P[D\, then 

A = { x £ A | x is isolated } c 
= r?({F£F(D)|FCA}) 

so 77 is onto P[D\. 

The inverse of 77 is 9 : P[D\ —> F[D) where 9 (A) = {F £ F(D) \ F C A}. 9 is clearly 
monotonic. To show 9 continuous, let be an increasing sequence in P[D] and letF £ 

That is, F C Uieoj^i = (UieuA) c - Each x F: F is isolated and so a: £ A { for 
some i. F is a finite set, and is an increasing sequence, soF C A{ for some i. Therefore 

FeUreJW- I 

111.5. Power Domains from Incomplete Domains 

Usually the partial order from which the power domain is constructed is required to be lo- 
complete. There are two reasons for this. The first reason is that most power domains are simply 
generalizations of domains that have been used as semantic domains for conventional sequential 
programs, and such domains are all complete because of the need to compute fixed points in the 
sequential case. The second reason is that ca-completeness permits the solution of recursive domain 
equations involving the power domain such as 

R ~ S -> P[S -f (5 X R)] 

which defines a domain of resumptions. 22 As shown in the previous section, however, power domains 
can be defined for any domain whatsoever. Furdiermorc the power domain of a domain is essentially 
the power domain of its ca-completion, so recursive equations involving the power domain of an 
incomplete domain can still be solved, provided the domains to which the usual constructors (+, X, 
—>, and *) are applied are ca-complete. It happens that defining actor semantics as in the next chapter 
docs not require solving any recursive equations involving die power domain. 

22 l ) lotkin, “A powerdomain construction”. 
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In short, there is no technical impediment to building power domains from incomplete domains. 
But why should one want to do so? 

In behavioral semantics, developed by Irene Greif, the meaning of a program is a specification of 
the computations that may be performed by the program. The computations are represented formally 
by the actor event diagrams considered in Chapter II. Greif specified the event diagrams by means of 
causal axioms governing the behaviors of individual actors . 23 

Henry Baker has presented a nondeterministic interpreter generating instantaneous schedules 
which then map onto event diagrams. He suggested that a corresponding deterministic interpreter 
operating on sets of instantaneous schedules could be defined using power domain semantics . 24 

The semantics presented in the next chapter is a version of behavioral semantics. A program 
will denote a set of actor event diagrams. That set will be defined extensionally using power domain 
semantics rather than intensionally using causal axioms. The behaviors of individual actors will be 
defined functionally. It will be shown, however, that the resulting set of actor event diagrams consists 
of exactly those diagrams that satisfy causal axioms expressing the functional behaviors of actors. 
Thus Greif s behavioral semantics is compatible with a denotational power domain semantics. 

Baker’s instantaneous schedules introduced the notion of pending events, which represent mes¬ 
sages on the way to their targets or in the process of being sent. Each pending event must become 
an actual (realized) event sooner or later, a requirement referred to as finite delay. Augmenting 
actor event diagrams with sets of pending events helps to express the finite delay property, which is 
characteristic of true concurrency . 25 

The augmented actor event diagrams form a partially ordered set (D, <) from which to con¬ 
struct the power domain P[D]. The augmented diagrams arc partial computation histories repre¬ 
senting “snapshots” of a computation on its way to being completed. For x, y £ I), x < y means x 
is a stage the computation could go through on its way to y. The completed elements of D represent 

computations that have terminated and nonterminating computations that have become infinite. The 

2 hrene Greif, “Semantics of communicating parallel processes”, MIT Project MAC Technical Report 154, September 
1975. 

24 IIenry Baker, “Actor systems for real-time computation”, MIT LCS Technical Report 197, March 1978. 

2;> Jerald S Schwarz, “Denotational scinantics of parallelism”, in Semantics of Concurrent Computation, Springer-Verlag 
Lecture Notes in Computer Science 70, 1979. 
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completed elements may be characterized abstractly as the maximal elements of D . 26 Concretely, the 
completed elements are those having no pending events. Intuitively, D is not cu-complete because 
there exist increasing sequences of finite partial computations 


Xq < X\ < x 2 < X3 < • • • 

in which some pending event remains pending forever while the number of realized events grows 
without bound, contrary to the requirement of finite delay. Such a sequence cannot have a limit, 
because any limit would represent a completed nonterminating computation in which an event is still 
pending. 

Many readers will be concerned about the possibility of a nonterminating computation proceed¬ 
ing merrily along from one finite stage to the next but blowing up at infinity without a trace, that is, 
without an element in D to represent the entire nonterminating computation. That cannot happen. 
In Chapter IV it will be shown for every program that the set of partial computations that can occur 
is exactly the set of initial histories of the completed computations that can occur. Every element 
of D lies below a completed element, and the completed elements represent all possible completed 
computations, both terminating and nonterminating. If an increasing sequence does not have a limit, 
then it does not represent a possible computation, because the sequence reveals a message that is sent 
but that never arrives at its target, cu-incompleteness thus follows from the assumption of finite delay. 

The fact that there exist increasing sequences without least upper bounds will seem strange to 
those accustomed to thinking about the semantics of sequential programs. It may help to point out 
that the increasing sequences produced by sequential programs all have least upper bounds. Indeed, 
the partial computations that can be produced by sequential computations form an cu-complete sub- 
domain of D. An informal proof follows. 

From the actor point of view, sequential computations are a special case of concurrent computa¬ 
tions, distinguishable by their event diagrams. The event diagram of a sequential computation has an 
initial event, and no event activates more than one event. In other words, the activation ordering of a 

sequential computation is linear; the event diagram is essentially a conventional execution sequence. 

2f, See §0 of William W Wadge, "An extcnsional treatment of dataflow deadlock”, in Semantics of Concurrent Computation , 
Springer-Verlag lecture Notes in Computer Science 70, 1979. 
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This means that the finite elements of D 


Xq < Xi < X2 < X3 < • • • 

corresponding to tlie finite initial segments of a sequential execution sequence all have exactly one 
pending event, excepting the largest, completed element if the computation terminates. One property 
of the augmented event diagrams domain (D, <) is that if x < y and x 7^ y, then some pending 
event of x is realized in y. Since in this case each Xi has at most one pending event, every pending 
event in the sequence becomes realized. Hence the sequence 

$0 < X\ < X2 < X3 < • • • 

has a least upper bound in D, in accord with intuition. 

The above proof applies to all sequential programs, even those with choice points such as 
guarded commands. Thus actor semantics includes sequential programs as a special case, and agrees 
with conventional semantics on the meanings of such programs. 

For convenience, though, the behavioral semantics presented in the next chapter will assume that 
all actors are deterministic, which rules out choice points. We exclude choice nondeterminism, the 
better to study arrival nondeterminism. 

To repeat, the actor event diagram domain D is incomplete because of the requirement of finite 
delay, which allows any finite delay between an event and an event it activates but rules out infinite 
delay. Finite delay follows from leaving much timing information unspecified, such as the cylinder 
that happens to be under a disk head at a particular instant, the detailed time-dependent behavior 
of a communications network, the relative speeds of concurrent processors, and the exact times at 
w'hich inputs are presented to the computing system by the external world. All these timing details are 
suppressed in the interest of obtaining greater abstraction. 

The next three sections explain the relation between finite delay and fair parallelism. 

III.6. Implementations are not Meanings 

It is not necessary for the semantics to determine an implementation, but it 
should provide criteria for showing that an implementation is correct. 
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Thus spoke Dana Scott of the purposes of a programming language semantics. 27 Usually, however, 
the formal semantics of a conventional sequential programming language may itself be interpreted to 
provide an (inefficient) implementation of the language. A formal semantics need not always provide 
such an implementation, though, and to believe that semantics must provide an implementation leads 
to confusion about the formal semantics of nondeterministic languages. Such confusion is painfully 
evident when the presence of unbounded nondeterminism in a programming language’s semantics is 
said to imply that the programming language cannot be implemented. 

Although the meaning of a computer program may be described by an element of a power 
domain, so that the program’s meaning is a set, execution of the program is not supposed to produce 
the set as its answer. Rather the set describes the possible outcomes of executing the program. 

Indeed, although the meaning of the program is represented as a set of possible outcomes, it 
is not necessary that every possible outcome be possible in every implementation of the program. 
This permits nondeterministic languages to be implemented efficiently on deterministic, sequential 
machines. 

In other words, implementations are not required to preserve all the nondeterminism present in 
the semantics. This corresponds to loose nondeterminism in the distinction drawn by David Park: 28 

tight nondeterminism: each correct implementation must, according to some 
precise sense of “possible result”, produce all and only those possible results 
which the semantics of the language prescribes. 


loose nondeterminism: there may or may not be a sense in which the im¬ 
plementation can produce more than one result; the only constraint is that 
every result produced is one of those prescribed by die semantics. 

III.7. Choice Nondeterminism is Bounded 

Unbounded nondeterminism, defined below, is an arcane technical notion of little interest in 
its own right. It is useful in pointing out the difference between choice nondeterminism and the 

27 

“What is Dcnotational Semantics?”, MIT Laboratory for Computer Science Distinguished Lecture Series 17 Aoril 
1980. ’ H 

28 “On the semantics of fair parallelism”, University of Warwick Theory of Computation Report 31, October 1979. 
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nondeterminism that arises from concurrency, and in discussing the interesting and practical question 
of fairness. 

If, for some fixed input, a program always returns an answer but the number of possible answers 
is infinite, then the program is said to exhibit unbounded nondeterminism. Unbounded nondeter¬ 
minism as thus defined is not a very precise concept since it depends critically upon the meaning of 
possible”. In my opinion it is best to take the possible answers as those permitted by the semantics of 
the programming language in which the program is written. 1 his gives unbounded nondeterminism a 
meaning as precise as can be had given the semantics of the language under consideration. Under this 
interpretation unbounded nondeterminism is a property of programs, not a property of implementa¬ 
tions. 

Nondeterminism that is not unbounded is bounded. Thus the nondeterminism of a program that 
may not halt is bounded. 

Nondeterministic Turing machines have only bounded nondeterminism. 29 Sequential programs 
containing guarded commands as the only sources of nondeterminism have only bounded nondeter¬ 
minism. 30 Briefly, choice nondeterminism is bounded. Plotkin gave a proof in his original paper on 
power domains: 31 


Now the set. of all initial segments of execution sequences of a given non¬ 
deterministic program P, starting from a given state, will form a tree. The 
branching points will correspond to the choice points in the program. Since 
there are always only finitely many alternatives at each such choice point, the 
branching factor of the tree is always finite. That is, the tree is finitary. Now 
Konig’s lemma says that if every branch of a finitary tree is finite, then so is 
the tree itself. In the present case this means that if every execution sequence 
of P terminates, then there are only finitely many execution sequences. So if 
an output set of P is infinite it must contain [a nonterminating computation]. 


This proof depends upon the premise that if every node X of a certain infinite branch can be reached 
by some computation c, then there exists a computation c that goes through every node x on the 

29 

A nondeterministic Turing machine is a mathematical abstraction, not a physical machine. A given nondeterministic 
luring machine is thus better viewed as a program than as an implementation. 

30 Edsger Dijkstra, A Discipline of Programming , Prentice Hall, 1976. 

31 ; 

G D Plotkin, “A powerdomain construction”, SIAM J Computing 5, 3, September 1976 pages 452-487. 
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branch. In other words, the premise is of the form 


Vz 3 c F (z, c) => 3 c Vz F (z, c). 

Clearly this premise follows not from logic but rather from the interpretation given to choice points. 
This premise fails for arrival nondeterminism because of finite delay. Though each node on an infinite 
branch must lie on a branch with a limit, the infinite branch need not itself have a limit. Thus the 
existence of an infinite branch does not necessarily imply a nonterminating computation. 

The following program, written in Communicating Sequential Processes, 32 is an example of a 
program with choice nondeterminism. Its nondeterminism is therefore bounded. 

[P :: n: integer; n := 0; 

guard : boolean; guard := true; 

*[guard — ► n : = n + 1 

D guard —► guard := false] 

] 


The repetitive guarded command might never terminate, because the first guard might always be 
chosen in preference to the second. While in a sense this is unfair to the second guard, it is allowed by 
the interpretation of choice points, because random choice is a valid implementation of choice points. 
An implementation that chose guards at random might choose the first guard on each repetition, and 
while the probability of that happening would be zero it would still be possible. Since the implemen¬ 
tation using random choice is allowed to choose the first guard forever, deterministic implementations 
arc also allowed to choose the first guard forever. According to loose nondeterminism, therefore, in 
some valid implementations this program could not possibly halt. 

Arrival nondeterminism, however, can be bounded. Consider a dual processor system. As 

timesharing users know, from a user’s viewpoint the effective speed of a processor varies with the 

computational tasks it is called upon to perform. Suppose one of the dual processors is used for 

timesharing as well as batch computation while the other is reserved for batch computation. As the 
32 C A R Hoare. “Communicating sequential processes”, CACM 21, 8, August 1978, pages 666-677. 
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timesharing load increases, the relative effective speeds of the two processors varies. The effective 
speed ratio is bounded only by the degraded response time that users are willing to tolerate, so for the 
purposes of mathematical discussion the effective speed ratio is unbounded. 

The unboundedness of the effective speed ratio gives rise to unboundedly nondeterministic 
programs. Suppose the timesharing processor counts to 100 and then sends a message to the other 
processor. Meanwhile the relatively free processor has been counting as fast as it can; how high can it 
count before it receives the message? As more users burden the timesharing processor, successive runs 
of the program yield higher and higher counts. No principled bound can be set. 

One possible -objection to this scenario as an example of unbounded nondeterminism is that 
the behaviors of the timesharing users and the timesharing system must be included in any proper 
account of the concurrent counting program. If this objection is to be allowed, though, the semantics 
of concurrent programs becomes quite intractable. Semantics is useful only to the extent that such 
details can be suppressed. 

An analogous scenario can be constructed for a single sequential machine through the use of two 
agendas from which tasks are selected alternately and to which tasks are added unevenly. Again an 
unbounded delay can be achieved. It is the property of finite but unbounded delay that gives rise to 
unbounded nondeterminism. Finite delay is a common and natural property of abstract descriptions 
of concurrent systems. 


III.8. Fairness Implies Unbounded Nondeterminism 

Fairness, roughly speaking, is a property of programs that take inputs from two or more concur¬ 
rent processes in such a way that each attempt by a process to provide input is bound to succeed 
sooner or later. A fair (two-way) merge, for example, is a program that takes values produced by 
two processes and merges them into a single sequence, never ignoring forever a value that one of the 
processes is trying to feed it. If one of the processes generates an infinite sequence of zeroes and the 
other an infinite sequence of ones, then the set of sequences that could be produced by a fair merge 
of those processes is the set of sequences containing infinitely many zeroes, infinitely many ones, and 
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nothing else; formally 


( 0 * 11 * 0 )“ 

An unfair merge would be a sequence with only finitely many zeroes or ones. 

The ability to write a fair merge is very important to programmers of operating systems and 
concurrent systems. By no means is it an ability provided by all concurrent programming languages. 
Unbounded nondeterminism serves as one test for fairness: if a fair merge can be written in the 
language, then the fair merge can be used to write a program with unbounded nondeterminism. To 
see the idea behind this bit of folk wisdom, consider a program written in Communicating Sequential 
Processes (CSP ): 33 

[X :: Z ! stop() || 

Y :: guard : boolean; guard := true; 

* [guard —► Z!go(); Z?guard] || 

Z :: n: integer; n : = 0; 

continue : boolean; continue := true; 

*[X?stop() —* continue := false 
0 Y?qo() —> n := n + 1; Y\continue'] 

] 


This program illustrates global nondeterminism, since the nondetenninism arises from incomplete 
specification of the timing of signals between the three processes X , Y, and Z. The repetitive guarded 
command in the definition of Z has two alternatives: either the stop message is accepted from X, 
in which case continue is set to f al se, or a go message is accepted from Y, in which case n is 
incremented and Y is sent the value of continue. If Z ever accepts the stop message from X, then 
X terminates. Accepting the stop message causes continue to be set to f al se, so after Y sends its 
next go message Y will receive f al se as the value of its guard and will terminate. When both X and 
Y have terminated, Z terminates because it no longer has live processes providing input. 

33 C A R Hoare, “Communicating sequential processes”, CACAf 21, 8, August 1978, pages 666-677. 
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As the author of CSP points out, therefore, if the repetitive guarded command in the definition 
of Z were required to be fair, this program would have unbounded nondeterminism: it would be 
guaranteed to halt but there would be no bound on the final value of n. In actual fact, the repetitive 
guarded commands of CSP arc not required to be fair, and so the program may not halt. 34 This fact 
may be confirmed by a tedious calculation using the semantics of CSP, 35 or simply by noting that 
the semantics of CSP is based upon a conventional power domain and thus does not give rise to 
unbounded nondeterminism. 

The reason unbounded nondeterminism does not apear in conventional power domain semantics 
is that each element of the power domain is interpreted as a finitely generable subset of the underlying 
ca-complete domain. In the ca-complete domains that have been proposed, finitely generable subsets 
are either finite or contain an clement representing a nonterminating or undefined computation, for 
essentially the same reason that choice nondeterminism is bounded. 36 In the actor event diagram 
domain and its completion, however, the augmented diagrams contain so much operational infor¬ 
mation that one can distinguish computations that violate finite delay from other nonterminating 
computations. Intuitively, the actor event diagram domain is incomplete because the computations 
that violate finite delay have been thrown out. 

To return to the proof that choice nondeterminism is bounded and to see why that proof does 
not work for arrival nondeterminism, it is first of all not clear that the tree of initial segments of 
execution sequences of a concurrent program is always fi nitary, since the alternatives may for example 
correspond to the wait times allowed by finite delay. 37 Secondly, an infinite branch does not neces¬ 
sarily indicate a nonterminating computation, since the path may violate the requirement of finite 
delay and thus not have a limit. Recall the fair merge of an infinite sequence of zeroes and an infinite 
sequence of ones. Every finite sequence of zeroes is a possible initial segment of a fair merge but the 
34 ibid. 

35 Nissim France/, CAR Hoare, Daniel J Lehmann, and Willem P de Rocver, “Semantics of nondeterminism, concurrency, 
and communication”, J Computer and System Sciences 19, L979, pages 290-308. 

36 G D Plotkin, “A powerdomain construction”, SIAM J Computing 5, 3, September 1976, pages 452-487. 

37 Nancy A Lynch and Michael J Fischer, “On describing the behavior and implementation of distributed systems”, in 
Semantics of Concurrent Computation , Springer-Verlag Lecture Notes in Computer Science 70, 1979. Sec also R J Back, 
“Semantics of unbounded nondeterminism”, Mathematisch Centrum Report 1W 135/80, April 1980. 
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limit, an infinite sequence of zeroes, is impossible. 


Apparently the designer of CSP stopped short of requiring fairness because at the time languages 
with unbounded nondeterminism were widely regarded as unimplementable. 38 Additionally un¬ 
bounded nondeterminism would have precluded giving a conventional power domain semantics for 
CSP. 

Another important proposal, based like CSP on message passing but more abstract than a 
programming language, is Concurrent Processes. 39 The semantics of Concurrent Processes also uses 
conventional power domains, so there is no unbounded nondeterminism and a fair merge cannot be 
specified. 

It appears that a fair merge cannot be written as a nondeterministic data flow program operating 
on streams. 40 The reason is that for any monotonic function 

merge : S X S —► P[S] 

from pairs of input streams to sets of possible output streams it must be that 

merge (_ L, 1“) Cl merge { 0,1") 

where _L is the empty stream. Since the only fair merge of _L and l w is l w , l w should be an element 
of merge (_L, l w ), but that would mean 1“ must be an element of merge (0,1") also. 

The coroutine proposal of Kahn and McQueen avoids nondeterminism altogether and thus can¬ 
not provide a fair merge. The “fair merge” that they present must assume for its correctness that both 
of its input streams are infinite. 41 
38 “Communicating sequential processes”: 

39 George Milne and Robin Milner, “Concurrent processes and their syntax”, JACM 26, 2, April 1979, pages 302-321. 

^Despite a claim to the contrary in Paul Roman Kosinski, “Denotational semantics of determinate and non-detcrminate 
data flow programs”, MIT LCS Technical Report 220, May 1979. The proof of Theorem 5.2 in that paper mistakenly 
assumes trichotomy for partial orders. In fact the domain of lagged-stream-sets is incomplete, and the fixed points being 
manipulated in the remainder of that paper do not exist 

41 Gilles Kahn and David McQueen, “Coroutines and networks of parallel processes”, IFIP-77, Montreal, August 1977, 
pages 993-998. 
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It is possible to write a CSP program that acts as a fair two-way merge so long as neither process 
transmits infinitely many messages to it. Since CSP’s semantics identifies all nonterminating computa¬ 
tions, it is impossible to tell directly from the semantics whether the program is unfair in the infinite 
case. Since no CSP program has unbounded nondeterminism, however, one can conclude that writing 
a fair merge in CSP is impossible. In this way unbounded nondeterminism provides an indirect 
answer to the question of fairness even though the question cannot be formulated directly. 

Notice in the context of loose nondeterminism that even though writing a fair merge in a given 
language may be impossible it may still be possible to write merge programs in the language that will 
in practice be implemented fairly. Indeed, the author of CSP has set forth the informal requirement 
that “an efficient implementation should try to be reasonably fair”. 42 In practice implementations can 
be extremely fair. The fact that examination of a programming language’s semantics shows that a fair 
merge cannot be written in the language reveals a deficiency not of the language but of the current 
theory of programming language semantics. 

To sum up, the problem with choice points as a model of nondeterministic concurrency is that 
they cannot be used to write a fair merge. In terms of what programs can express about their 
implementations, merge programs using choice points can allow fair merge but they cannot require it. 

Plow important is fairness? Every finite initial sequence of values produced by an unfair merge 
can also be produced by a fair merge. Fair and unfair merges differ only at infinity. It can be argued 
that fairness is therefore unimportant, since as finite beings our horizon of interest seldom extends 
beyond a few score billion years. This argument should appeal to those who for the same reason find 
silly the question of whether a program terminates or not. 


42 “Communicating sequential processes”. 
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Chapter IV 


Actor Semantics 


This chapter sets forth a power domain semantics for actor-based languages. The semantics 
given here is a power domain formulation of the behavioral semantics invented by Irene Greif. 1 The 
semantics has an operational flavor because it gives as the meaning of a program a set of generalized 
execution sequences, which are essentially the actor event diagrams of Chapter II. 

IV.1. Primitive Serializers 

A primitive serializer is a special kind of actor. Conceptually a primitive serializer consists of 
an arbiter, a queue, and a processor. A primitive serializer is the target of an event when a message 
arrives at the serializer’s arbiter and is placed in the serializer’s queue to await processing. When 
two messages arrive at about the same time, the arbiter decides which one goes first in the queue. 
The arbiter must be reliable and place every incoming message in the queue. In other words, the 
arbiter performs a fair merge on incoming messages. The processor of the primitive serializer accepts 

messages serially from the queue and processes them according to some deterministic and terminating 

’Irene Greif, “Semantics of communicating parallel processes”, MIT Project MAC Technical Report 154, September 
1975. 
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(stack = elements initially [ ] 
inside 

accept [ continuation op x ] 
if equal [ op "push" ] 

then change elements to [ x elements j ; 
send "pushed" to continuation 

el se 

if equal [ op "pop" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else change elements to second(elements) ; 
send "popped" to continuation) 

el se 

if equal [ op "top" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else send first(elements) to continuation) 

el se 

if equal [ op "empty?" ] 

then send equal [ elements [ ] ] to continuation 
else 

send "error -- undefined operation on stack" to continuation) 


Figure 1 . An implementation of a single stack in the toy programming language Atolia. 

algorithm. When the processor accepts a message from the queue, it locks and accepts no more 
messages from the queue until it finishes widi that message. 

Messages arc accepted and processed in the same order that they arrive at the primitive serializer, 
that is, in the same order as the arrival ordering of their corresponding events. Processing a message 
may involve (1) changing the local state of the primitive serializer’s processor; (2) sending out a finite 
set of messages; (3) creating a finite set of new primitive serializers; this last possibility resembles 
process creation. When the processor finishes processing a message, it unlocks and accepts the next 
message in the queue. If there are none, it waits until there are. 

Primitive serializers have been proposed as a basis for programming concurrent and distributed 
systems. 2 Figure 1, for example, shows one way to implement a stack as a primitive serializer. There 
is one state variable, elements, which is the empty sequence initially, stack takes messages of the 
form 

2 Carl Hewitt, Giuseppe Attardi, and Henry Liebcrman, "Specifying and proving properties of guardians for distributed 
systems”, in Semantics of Concurrent Computation , Springer-Verlag Lecture Notes in Computer Science 70, 1979. 
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[continuation op x] 


where continuation is an actor that should receive the result or notification, op is one of the four 
stack operations (push, pop, top, and empty?), and z is a value to be pushed. When the operation 
is pop, top, or empty?, z may be omitted. The messages sent and the changes made to the local 
state variable should be apparent from the code, stack never creates any actors. 

Programming languages based on primitive serializers, such as Actl 3 and Atolia , 4 will be called 
actor-based languages. Programs in such languages are often written in the object oriented, continua¬ 
tion passing style illustrated by stack. 


IV.2. Actor Behaviors 

For simplicity, this chapter will ignore actor creation. Chapter V will outline the small changes to 
the semantics given here that arc necessary when actors can be created in the course of computation. 

Let A be the set of actors, and M the set of messages. 

An actor is completely described by its name and by its behavior, which specifies what the actor 
does whenever it receives a message. An actor’s name is a necessary part of its description because two 
different actors may have the same behavior. An actor’s behavior is a necessary part of its description 
because the same actor may have different behaviors at different times. 

When a primitive serializer receives a message, it may change state, may send out a finite number 
of messages to other actors, and may create other actors. Ignoring the possibility of creating other 
actors, this suggests that the behavior of a primitive serializer a should be a function 

b a : Z a —> [M —► (S° X (A X M)*)], 

where is the set of local states of a, and an element of (A X M) + represents a finite set of messages 

sent out to specific targets. Since the only purpose of local states is to index the next behavior, though, 
3 ibid. 

4 See §V.5. 
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it is better to define the behavior domain F via the reflexive domain equation 5 


F ~ [M - (F X (A X M)*)]. 

F may be thought of as the set of trees of height u, with an unlabelled root node, non-root nodes 
labelled by finite sequences in A X M, and such that each node has exactly one outgoing arc labelled 
by m for each message m £ M. 

Behaviors are normally specified using a programming language. Using informal mathematical 
notation, the initial behavior of stack might be written 

b [} : l c P ush x ~\ ( b [x []], «c, pushed)}) 

[c pop] t—» (6| ], {{c, error -- stack empty))) 

[c top] I-* (6[j, ((c, error -- stack empty))) 

[c empty?] t-> (b {] ,{(c,true)}) 

where b[ x y ] is the behavior defined by 

b [x y \- C c push 2 ] (b lz {x lJ ]],{(c l pushed))) 

[c pop] > (by, ((c, popped))) 

[c top] I ► (6(3; yj, ((c, x))) 

[c empty?] ^ (b [x y] , ({c, false))) 

(The matliemadcal notation here is less precise than the programming language since it does not indi¬ 
cate the values of the behaviors on messages that do not match the patterns.) As a simpler example, 
the Atolia script 

accept [ ] dummy 


signifies the constantly passive behavior 


P-m (p, ()). 


It is the purpose of a programming language semantics to define a mapping from syntactic ob¬ 
jects such as the code for stack to mathematical objects such as the behavior 6 ( ]. The goal of this 

Itiat this equation has a solution is assured by the standard theory of programming language semantics. See Dana 
Scott, "Data types as lattices”, SIAM J Computing 5, 3, September 1976, pages 522-587, or the books by Stoy or Milne 
and Strachey. 
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chapter is to define a mapping from computer programs written in an actor-based language to sets of 
actor event diagrams representing possible outcomes. The mapping is defined in two stages. In the 
first stage, the standard denotational theory of sequental programming language semantics is used to 
define for each program Q in the language a function 

9(Q): A-+F 

giving the initial behavior of each actor. In the second stage that function is used to define the set of 
possible outcomes of the program Q. 

The second stage is largely independent of the programming language. For the purposes of the 
second stage an actor-based programming language is simply a pair 

where l is a description language (set of programs) and is a map 

l —► (A F). 

Appendix IV piesents .t and < D i for a toy language illustrating actors.* 5 L and < tP have previously been 
specified for a version of the Actl language. 7 

IV.3. The Actor Event Diagram Domain 

An element of the actor event diagram domain is an actor event diagram as in Chapter II aug¬ 
mented by a (possibly empty) set of pending events. See Figure 2. As before, each vertical line 
represents an arrival ordering, with time flowing downward so that early events lie above later events. 
As before, the arrows represent links of the activation ordering. As before, the target and message of 
an event are written beside the event’s dot. 

6 In Appendix IV L is the set of actor script declarations Act. The behavior domain F given in Appendix TV is 
complicated by actor creation. For programs that do not create actors, the differences between the behavior domain of 
Appendix IV and the behavior domain of this section may be ignored. 

7 Carl Hewitt and Giuseppe Attardi, unpublishable. 
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pending: 

sieve <—[filter 2 reply 3] activated by: (filter^ 2) 
integers <— [filter 2 request] activated by: (filter 2 ,2 ) 



Figure 2. An actor event diagram with pending events. 

Each pending event represents a message on its way to a target. The activator of a pending 
event is the event that caused the message to be sent. When the pending event becomes realized (in 
a greater element of D) its activator will be the activator of the realized event. In order to refer to 
arbitrary events, let (a, n) be the (n -f l)th event in the arrival ordering of a if such exists. In other 
words, if a is an actor then the successive events in the arrival ordering of a are 

(a, 0), (a, 1), (a, 2), (a, 3), (a, 4),.... 

The elements of the actor event diagram domain 1) will be required to have initial events and to 
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obey a law of finite activation. Finite activation corresponds to the restriction on primitive serializers 
that they send out only finitely many messages before diey unlock. Simplicity is the only reason for 
requiring initial events. 8 

The formal definition of the actor event diagram domain will use the concept of multisets. A 
multiset is a set with repetitions. For example, { 1} and { 1,1} are distinct multisets. A set with 
elements from a universe U may be considered a function: U —► 2. In like manner a multiset with 
(finite repetitions of) elements from U may be considered a function: U —► u;. 9 The cardinality of a 
multiset s is defined as 

J2 *(«) 

ueu 

if die sum exists and is finite, and as u ; otherwise since the universe U will always be countable in 
actor semantics. If sy and s 2 are multisets, then their multiset (disjoint) union sy |+j 52 is defined by 

VuE U = fli(«) + azM- 

Similarly their multiset difference sy — & 2 is defined by 

0 if si ( la ) < & 2 (u)\ 

Vu EU (si — s 2 ) («) — 

(sy(u) — S 2 (u) if Si(ti) > « 2 (u). 

If si: Uy —¥ u) ands 2 : U 2 —> w are multisets, their multiset productsi X (Uy X U 2 ) -* is defined 
by 

V (Uy, U 2 ) GUyXU 2 (Si X S 2 ) ((u lf U 2 )) = Sy{uy) X »l{u 2 ). 

Let die set of actors, A, and die set of messages, M, be countable sets. 

Definition. The set of augmented actor event diagrams is the set D of structures 

(E, M, — act-+,P) 

8 Aside from complicating the discussion of completed elements of the domain, dropping the requirement of an initial 
event would cause no problems. Finite activation, however, is needed to ensure that the domain has only countably 
many isolated elements. Fx ten ding the essential theorems of Chapter III to domains with uncountably many isolated 
elements apparently requires the axiom of choice. 

!) 'lhis suffices for the semantics given here. Other applications may require a more sophisticated treatment of multisets. 
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where 


• E is the set of (realized) events. 

• M is the message function. 

• -ad-> is the activation ordering. 

• P is the multiset of pending events. 
and the following hold. 

• E is a subset of A X to such that ifi <n and {a, n) E E then (a, i) E E. 

• M is a function: E —► M. 

• -act -4 is an irreflexive partial order on E such that no event has more than one immediate 
predecessor. 

• P is a multiset (with finite repetitions) of elements from (\ X M) X E. That is, P is a function: 
((A XM)x£)-t». 

• Finite Delay. If E is infinite, then P is empty. 

Let the target function T: E —► A be defined by T((a, n)) = a. 

Fora G A, let the arrival ordering of a, -arr a -+, be defined on E by 

{a, i) -arr a -> (a', j) <=> a = a' and i < j. 

Let the combined ordering onE, be defined as the transitive closure of 

— act -»U(U{- a ^-i a ^ A ))* 

• Law of Strict Causality. For noeEE does e -+ e. 

• Law of Countability. E is countable. 10 

• Law of Finite Predecession. For all events e v the set {e | e —► e t } is finite. 

• Initial Lvent. EitherE andP are both empty or there exists an event eo such that 
Ve G E e 0 — e ore a — act —> e. 

• Finite Activation. For each e EE the set of events activated by e is finite. That is, 

{FEE | e — act—* c' and -Ef e —act—> f -ad-> F } is finite. 
l0 'ITiis law is redundant here since A is countable and E is a subset of A X w. 


94 



pending: 

add +-3 4 activated by: (/, 0) 
/ +- 3 activated by: (add, 0) 


/<- 1 2 3 4 



add <— 1 2 


pending: 

/ 4 —3 activated by: (add, 0) 
/ +- 7 activated by: (add, 1) 


< 



add <— 1 2 
add <— 3 4 


Figure 3. An example of the initial history ordering. 


pending: 

add +—3 4 activated by: (/, 0) 
/ +— 3 activated by: (add, 0) 


/«- 1234 



add +— 1 2 


pending: 

/ +— 7 activated by: (add, 1) 



add +—12 
add +—3 4 


Figure 4. A non-example of the initial history ordering. 


• Finite Activation. For each e £ E, the multiset ofpending events activated by e is finite. That is, 
{((a, m), e) £ P | a £ A, m £ M } is a finite multiset} 1 
(End of definition.) 

The partial order to be placed on D coincides with the notion of an initial history of a computa¬ 
tion. For x, y £ D, x < y means that a: is a possible stage a computation could go through on its way 
to y. That is, x < y means y could be obtained from x by a process of expanding pending events. A 

11 In view of the requirement of Finite Delay, a simpler way to state this is to say that P is a finite multiset. In the 
completion, however, where Finite Delay does not hold, P can be infinite. 
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pending: 

add +—3 4 activated by: (/, 0) 
/ <- 3 activated by: (add, 0) 


/f- 123 



12 


pending: 

user*- 3 activated by: (add, 0) 
/ +- 3 activated by: (add, 0) 

/ <— 7 activated by: (add, 1) 



' Figure 5. Another non-example of the initial history ordering. 


pending event is expanded by making it into an actual (realized) event and adding any pending events 
that it may activate. Normally the new pending events would be determined by the cuirent behavior 
of the target of the newly realized event. Since < is defined without reference to behaviors, though, 
x <; y means that for some assignment of behaviors to actors y can be obtained from x through some 

sequence of event expansions. 

The best way to understand the initial history ordering < on D is by way of examples and 
near misses. Figure 3 is an example of <. Figure 4 is not an example because one of the pending 
events disappears without being realized. Figure 5 is not an example because a pending event whose 
activator had already been realized appears out of nowhere. 

Definition. Let x = (E x , M x , —ad-+ x , P x ) G D and y = (E y , M y , — ad-> y , P y ) GB.x is an 
initial history of y, written x < y, if and only if 

• Ex E y . 

• Ve G E x M x (e) = M y (e). 

• Ve, ef G E x e —ad—> x e? <=> e —ad~> y d . 

• Each pending event in x is accounted for exactly once in y, either as a pending event in P y or as 
a realized event in E y . Furthermore all the pending events of y activated by events already in x must be 
accounted for in this way. More formally, using { • } to indicate multiset abstraction in which repetitions 
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(These diagrams use the notation (e) to indicate the activator e of a pending event. Also the 
arrival ordering of a is labelled at its top, so only messages are written beside event dots.) 


pending: 

user <— 0 ((a, 0)) 
a <- 1 ((a, 0)) 


< 


a 


1 ° 


pending: 

user *— 0 ((a, 0)) 
a <— 2 ({a, 1)) 


a 


if 0 

T 1 


< 


pending: 

user +— 0 ((a, 0)) 
a *— 3 ({a, 2)) 


a 

t: 

2 


< 


pending: 

user <— 0 ((a, 0)) 
a <- 4 ((a, 3)) 


a 


f 


0 

1 

2 

3 


< 


pending: 
user 0 ((a, 0)) 
a «— 5 ((a, 4)) 


a 


/r 0 

k 

3 

+ 4 


< 


pending: 

user +— 0 ((a, 0)) 
an 6 ((a, 5)) 


a 


/" o 

<3 


< 


Figure 6. An increasing sequence with no least upper bound. 


are counted, 

P x — { ((a, m), e) G P y \ e G E x } 

(+) { (( T y {e!\ M y (e')), e) | e! G E y — E X) e = activator (e'), ande G E x } 
where activator (e') is (he unique immediate predecessor of e' in the activation ordering of y. 

Definition. (D, <) is the actor event diagram domain. 

The actor event diagram domain is a domain by the definition of Chapter III. The isolated ele¬ 
ments are those with a finite number of realized events. The least element has no events at all, realized 
or pending. The domain is not ca-complcte, because there exist increasing sequences having no least 
upper bound. Figure 6 gives such a sequence in which an event remains pending forever. Though this 
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Figure 7. Two upper bounds for the sequence of Figure 6. 


sequence has no least upper bound, it has many incomparable minimal upper bounds, and Figure 7 
shows two of them. 

The least upper bound of a directed set X C D will be written V X if it exists. In view of 
the following theorem, V X exists if and only if either (1) the union of the sets of realized events of 
elements of X is finite; or (2) for every element x of X, for every pending event p of x, there exists 
x' EX such that p is realized in d. 

Theorem !. If X (ZD and u = \j X, then for every event e of u there exists x £ X with e an 
event of x. 

Proof Suppose u is an upper bound for X in D and that e is an event of u. If there does not 
exist x £ X with e an event of x, then it is possible to alter u so as to obtain another upper bound for 
X incomparable with u. Simply remove from u all activation successors of e and all pending events 
activated by e or its activation successors, and then rename the remaining realized events. Call the 
resulting augmented event diagram u'. Since no event following e in the combined ordering of u can 
be an event of any x £ X, u' is also an upper bound for X. Either u and u' are incomparable, or 
u — u'. In the latter case, obtain u" from u — u' by inserting a new event in the arrival ordering of 
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T(e) immediately after e, letting e be its activator, u" is then an upper bound for X incomparable with 

u. | 

In the case of F igure 6 any least upper bound would have to have both infinitely many realized 
events and a pending event. The requirement of Finite Delay thus rules out a least upper bound for 
the sequence. 

The w-complction of the actor event diagram domain is easily characterized up to isomorphism. 
Just drop the requirement of Finite Delay from the definition of D to obtain its (^-completion D. 

As noted in §111.5, the event diagrams corresponding to sequential computations have linear 
activation orderings. In other words, no event activates more than one event. Such event diagrams 
form an w-complete subdomain of D. 

Aside from the least element _L, which represents a computation not yet started, those elements 
of D having no pending events represent computations that have terminated or that have run on to 
infinity, as distinguished from computations with pending events which represent computations still 
in progress. Excluding the least element J_, those elements of D with no pending events will therefore 
be called the completed elements of D. The completed elements may also be characterized as the 
maximal elements of D. 


IV.4. Meanings as Fixed Points 

Since D is a domain, its power domain, P[D], exists. P[D] is the semantic domain in which 
programs written in actor-based languages will be given meanings. 

Let Q be a program, with 

9(Q): A-+F 

the function giving the initial behavior of each actor as determined by the program Q. Ihcse be¬ 
haviors will be used to define a continuous function /* on P[D] whose least fixed point will serve as 
the meaning of the program Q. 
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For x an ordered pair, let x j 1 be the first and x j 2 be the second clement of the pair. Let 

next: (F X (A X M)*) -> F 


and 

pend: (F X (A X M)*) -4 ((A XM)-+u) 

be defined as follows, next (x) = x | 1 is the behavior part of the pair, pend (x) is the multiset with 
elements from A X M such that pend (x) {(a, m» is the number of times that (a, m) appears in the 
sequence x j 2. If <j> is the behavior of an actor when it accepts the message m of an event e, then 

next (0 m) is the next behavior of the actor, and pend (0 m) X { c } is the multiset of pending events 
activated by e. 

/*: P[D] -4 -P[D] will be defined pointwise from a function /: D -4 P[D], which will in turn 
be defined from a function g: D - P[D]. For x 6 D, g (x) is essentially the set of augmented event 
diagrams that result from expanding exactly one pending event of x in accord with the actor behaviors 

specified by the program Q. In fact 9 (x) is a little more, because g(x) has to satisfy tile closure 
requirements that hold for elements of the power domain. 

The first step in defining g is to define p(_L), which amounts to deciding how program execution 
should be initiated, which in turn amounts to deciding on an initial event. It is an arbitrary decision, 
but suppose that execution begins when a special message mo arrives at a particular actor oo singled 
out by the language. (For the toy language described in the appendixes, m 0 is the empty sequence () 
and the target of the initial event is ( program, 0).) 

Therefore let 

g (JL) = { (E, M, —act -4, P ) } c 
where c is the closure operation defined in §111.3 and 

E = { {ao» 0)} 

Af((ao, 0 )) = mo 
— act -4 — 0 

P = pend (9 (Q) oq m 0 ) X { (%, 0 )}. 


100 



Now to define g on x — ( E,M , -act->,P) E D, where x 7^ _L. Let behavior (a) be the 
current behavior of actor a in x, that is, die behavior of actor a after it has accepted the messages of all 
die events in its arrival ordering. More formally, define the successive behaviors of a by 

b (a, 0 ) = *?( Q)a 

b (a, n 1) = next (b (a, n) (M((a, n)))) 

and let behavior [a) = b (a, n) where n is the least integer such that (a, n) £ E. If diere are infinitely 
many events in the arrival ordering of a, so that no such n exists, then the current behavior of a is 
undefined. 

If P is empty, there are no pending events to expand and so let 

g(x) = {x} c 

where c is the closure operation defined in § 111 . 3 . Otherwise for each p = ((a, m), e) E P, or more 
properly for each p E ((A X M) X E) such that P(p) 7^ 0 , let x (a, m, e) be the element of D 
obtained by (1) adding a new event to x with target a, message m, and activator e; (2) subtracting the 
pending event p from the pending events of x\ and ( 3 ) adding the pending events activated by the 
new event. Then define 

g (x) = { x {a, m, e) | ((a, m), e) E P } c . 

To define x (a, m, e) more precisely, let n be the least integer such diat (a, n) E. Such an n 
must exist because the existence of pending events implies that die set of events is finite. Then 

x (a, m, e) — ( E', —act — P') 


where 


M'(e) 


e i 


E' = i?U{<a,n)} 

'M(e) if e e E 

< 

m if e = (a, n) 

-act —+' e2 <=> (ei, E E and e\ —ac£—> e 2 ) 

or (e2 = (a, n ) and (ei = e or ei — act —► e)) 

P r — (P — { ((a, m), e) }) (+) [pend (behavior [a) m) X { (a, n) }) 
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This completes the definition of g: D —► P[ D], Define /: D —» P[ D] by 


f{x)= IJ g{z). 

z<Lx 

Some observations: 

• If ({a, m), e) is a pending event of x, then x < x (a, m, e). 

• If x <y then x £ g ( y ). In particular x E / (a;). 

• If re is isolated, then g[x) contains only isolated elements. This follows from the property of 
D that if y E D is isolated, and x < y, then x is also isolated. 

• If re is not isolated, then g (x) contains exactly one element that is not isolated, namely x. This 
follows from the fact that elements of D that are not isolated are maximal in D. 

Theorem 1 ./: D —+ P[ D] is to-continuous. 

Proof. Let x < y. Then 

/(*)= U ffWE U d{z) = f{y) 

z<x z<Lu 


so / is monotonic. 

To show / ca-continuous, let {®*} t - ew be an increasing sequence in D having a least upper 
bound x — View **• ^ et2r < x. Ifz is isolated, then there exists x { with z < x if whence 

sME U »W = /WE U/W- 

2 <I, iGw 

On the other hand, if z is not isolated then z = x and g (z) — { x } c . rr» E / (xi) for each i, so 


rr G ( LI f( x i)Y = U /(*»')• 


Hence 

g(z) = {x} c Ll □ 

i'Ew 
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ITius 


U ^ U /(**■) 

z<Lx 

and applying the closure operation to both sides yields 


f(x) C jj /(*,•). 

i(E u> 

Monotonicity implies the reverse direction, so / is at-continuous. | 
Define P|D] -» P[D] by 


M A ) = ! * G A } = ( |J f(x)) c . 

x(EA 

fi(A) thus consists of the augmented event diagrams in A together with all the event diagrams that can 
be had by taking an element of A and expanding one of its pending events. 

The following general theorem shows that /, is cu-continuous. 


Theorem 2. LelD be a domain, and let f: D —► P[D\ be co-continuous. Then /*: P[D] —► P[D] 
defined by 

U A ) = U /(*) 

xGA 


is uj-continuous. 

Proof. Monotonicity is obvious. Hence it suffices to show 


/.( LI A.) E U MAi) 

i'Gu uj 

for increasing sequences 

Let 

c *= /*(JJ ^ = i x ^ LM*} 

= (Ut/t*) i * e (U ^o c }) c - 
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Let W C U{/W I * E (UiGu; ^ 4 i) c } be a directed set with c — \J W. For w £ W let Z w C 
a directed set with 


w£f{\JZ w ) = U /(*)=:( U /W) c - 

z(EZ w zkzZ to 

Let Y^ C UeGZ^/t 2 ) b e a directed set of isolated elements with w = V Y^,. Let Y — U^gw' 
Then 

c = v =\/( U y ™) = M y 

i u€EW 

and 

Y= [j Y w 

w(E\V 

£ U U /w 

w£.W zE.Z w 

£ U U /M 

iGw zGAi 

£ U /•(*)• 

Furthermore, Y is directed: if yi E Y Wl and y^ E Y^, then let W3 be an upper bound for w\ 
and W2 in W. Since yi and 1/2 are isolated, Y m is directed, and 

Vi, \h < u>3 = V Yu*, 

there exists y[, y 2 E Y m with yi < y\ and y2 < y ' 2 ■ Let y.\ be an upper bound for y\ and y 2 in Y m . 
y3 is then an upper bound for y\ and in Y. 

Therefore 

c e (u M A ‘)) C = U 

i£uj iEuj 

I 

Being continuous, /*: P[ D] —> F[D] has a least fixed point 

Aq= U^(-L)- 

i(Eu ) 
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Define the meaning of the program Q to be that least fixed point Aq. The theorems below show that 
Aq is the set of initial histories of the actor event diagrams that correspond to completed computa¬ 
tions of Q. 

They also show that this power domain semantics is compatible with Greifs behavioral seman¬ 
tics . 12 Behavioral semantics does not use pending events or fixed points. Instead it uses causal axioms 
to go directly from behaviors to the set of completed computations. Essentially these causal axioms 
state that a completed computation is an actor event diagram that is complete with respect to the 
initial behaviors. 

Definition. An augmented actor event diagram x — {E,M, — act—*,P) E D is consistent with 
respect to the initial behaviors given by 

9 (Q): A -> F 

iff for each event e = (a, n) E E 

pend (b (a, n) (M(e))) — { (a', m!) | ((a', m'), e) E P } 

|hJ{ (T(e'), M(e')) | d E E and e = activator (el) } 

(where { • } indicates multiset abstraction in which repetitions are counted). In other words, the pending 
and realized events activated by e are as they should be according to (he behavior of a — T(e) at the 
time of the event e. 

Definition. An augmented actor event diagram x = (E,M , — act—*,P) E D is complete with 
respect to the initial behaviors given by 

V(Q): A -+ F 

iffx jAl j_ ( P is empty, and for each event e = (a, n) G E 

pend (b (a, n) (M(e))) = { { T(e'), M(e')) | e' E E and e = activator (e 1 )} 

(where { • } indicates multiset abstraction in which repetitions are counted). In other words, x has at 
least one event, x has no pending events, andx is consistent with respect to the initial behaviors given by 

g'(Q). 

12 Irenc Greif, “Semantics of communicating parallel processes”, MIT Project MAC Technical Report 154, September 
1975. 
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The following theorems prove that the actor event diagrams that are complete with respect to the 
initial behaviors given by ( Q ) are precisely the completed elements of the least fixed point. (Recall 
that the completed elements of D are just the maximal elements of D.) 

Theorem 3. Every element of the least fixed point Aq is consistent with respect to the initial 
behaviors given by < D > (Q). 

Proof. Refer to the definition of the initial history ordering < and the theorem following it in 
§3. If x < y, and y is consistent with respect to the initial behaviors, then x is also. If X C D is 
directed, each element of X is consistent with respect to the initial behaviors, and V X exists, then 
V^is consistent with respect to the initial behaviors. Thus if every element of Y C D is consistent 
with respect to the initial behaviors, then so is every element of Y c . It follows that if for a £ I each 
element of,4 a £ P\ D] is consistent, then each element of \J aEl A a is consistent. 

Hence most of the operations involved in the construction of Aq = U»gw/+(-L) preserve 
consistency. _L is consistent with respect to any initial behaviors. There remains only to show that if 
x £ D is consistent, then the elements of g [x) are consistent. 

Both elements of g (_L) are consistent. If x is consistent and has no pending events, then g (z) = 
{ x } c so the elements of g (x) are consistent. If x is consistent and has ((a, m), e) as a pending event, 
then x (a, m, e) is consistent. Thus g ( x ) contains only consistent elements. 

Therefore every element of Aq is consistent with the initial behaviors given by ( Q ). 1 

Theorem 4. 

Aq = {i£D | x is consistent with respect to the initial behaviors given by < T (Q)}. 


Proof The preceding theorem takes care of the forward inclusion. 

Let x — (E, M, —act — P) £ D be consistent with respect to the initial behaviors given 
by ^P(Q). By Theorem 1 of §11.5 there exists a one-to-one mapping g: E —> uj that preserves the 
combined ordering —For i £ u>, let x t be the unique clement of I) such that Xi < x and X{ has 

{ e £ E | g (e) = j for some j < i } 
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as its set of realized events. Then for each i E u) 


Xi G fi (_L) 


andsoi = V,- ew ®iGLIiew /U-L)- I 

Definition. If A E P[ D], then 

completed (A) — { x E A \ x is maximal in D }. 


Corollary 5. 

completed (Aq) — { x E D | x is complete with respect to the initial behaviors given by ‘T (Q )}. 


§8 describes a power domain isomorphic to (P[D] } (Z) in which the least fixed point of /* 
contains only the completed elements. 

The following theorem confirms a claim made in §111.5. 

Theorem 6. Every element of the least fixed point Aq is an initial history of a completed element of 

Aq. 

Proof Let x E A q = \J i(Euj fl (-L). Either x is itself completed or x E /” (_L) for some nGw. 
In the first case there is nothing to prove. 

In the second case it is possible to construct an increasing sequence in Aq beginning with x that 
has a completed least upper bound. Let the pending events of x be po — {(ao, mo), e 0 ),..., p fco . Let 
Xq = x. 

Let x\ = xo(ao,mo,e{)) and let Pi,..., Pk 0 , ■ ■ ■, Pk x be the pending events of xi, where 
Pi, , Pk a are the same as before. 

The induction hypothesis for i is that for all j < i xj < Xj+i, and for all j < i xj E 
(_L) and cither xj is completed or the pending events of xj are p 3 ,..., p kj . If x { is completed, 
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define Xi+i — x t . Otherwise define X {.|_j = X{ (a*, m i( e t ) where p t - = ((a 4 , ra t ), c<). If is not 
completed then let the pending events of xi +1 be , p^,..., pfc i+1 where ..., p fci are 

the same as before. 

The least upper bound of the sequence { X{ } iGw exists and is a completed element of Aq. | 

What has been accomplished? 

Augmented by pending events, the actor event diagrams form a domain under the initial history 
ordering. Although the actor event diagram domain is incomplete, its power domain exists and 
provides a fixed point semantics for actor-based languages. This power domain semantics, which is 
denotational, is compatible with behavioral semantics. 

The actor power domain shows that a power domain whose underlying domain is incomplete can 
deal with finite delay and the unbounded nondeterminism that results. 

IV.5. Example: Infinite Loop 

This section calculates tire fixed point for a program that loops forever. It is interesting to 
compare this example with that of the next section. 

As in the examples of the next two sections, there are only two actors to consider. One of the 
actors is the user, which simply accepts messages. The other actor is oq, the target of the initial event. 
Its behavior is defined by an Atolia program. 13 In this instance, the program is 


(loop = accept [ ] 

send "addl" to loop ; 
become i initially 0 
inside 

accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 
send "addl" to loop 

else 

if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy). 

13 See §V.5. 


108 





u ie ./*.(-L) = (U. e „/i(-L))U 


Figure 9. The least fixed point U» ew /i(-L) for loop. 

This program says that when oq receives the go message mo (which will be written [ ] in event 
diagrams) it initializes itself to a state 0 and sends itself an increment instruction. When it accepts an 
increment instruction in state i, it enters state i -j- 1 and sends itself another increment instruction. 
Were it ever to accept a halt instruction, it would tell the user its current state. Its initial behavior is 
6: M (F X (A X M)* given by 

6: m 0 (bo, ([ao «- addl])) 

bi (i E ca): addl h* ([a 0 <- addl])) 
hal t ( passive, ([user +— i])) 

passive : m i—► ( passive, ()) 

where \t m] indicates the ordered pair (t, m) signifying that the message m is sent to the target t. 
Messages that do not match one of the cases given are just ignored. 

It is easy to calculate the least upper bound of the function /*: P[ D] —> P[ I)] associated with 
this very simple program. The stages f\ (_L) are shown in Figure 8. The least fixed point is shown in 
Figure 9, and the lone completed element of the least fixed point is shown in Figure 10. 

The event diagrams in these figures are drawn compactly, with each actor’s arrival ordering 
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ft (X) = { X } 


/: u)= 


A (x) = 


nu) = 


ft (X) = 


f. (X) = 


and so on. 


t 

f.U) u< 


pending: 

ci <3 addl ({ao, 0)) 


ao 


v 


k i ] 




/i(x)U 


pending: 

ao <- addl ((ao, 1)) 
ao 

(t c 1 

> addl 


► 


/ 


pending: 

do * add 1 ((ao, 2)) 


/J(x)U{ 


V 


do 



[ ] 
addl 

addl 


> 


) 


pending: 

do <- addl ((do, 3)) 


/.'(x)U< 




ao 


C 

i 


[ ] 

addl 

addl 

addl 


> 


/ 


pending: 

do «- addl ((ao, 4» 


ft (x) U { 


\ 


00 


i 


[ ] 

addl 

addl 

addl 

addl 


> 


/ 


Figure 8. /*(_]_) for loop. 
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Figure 10. completed (U ieu) /:(_!_)) for loop. 

labelled at its top by the name of the actor so only messages need be written beside events. The 
activator of a pending event appears in parentheses after the pending event. Recall that (a, n) is the 
(n + l)th event in the arrival ordering of a. 

For all programs the stages f\ (_L) contain finite initial histories only. It is the least upper bound 
operation [J that puts elements representing non terminating computations into the least fixed point. 
The least upper bound of {/*(_!_) | i E u>} consists of the union \J iGuJ fl (_L_) together with all 
existing least upper bounds in D of strictly increasing 14 sequences of elements from the union. In this 
example all strictly increasing sequences of elements from the union have the same least upper bound, 
so the least fixed point of/* contains only one event diagram that does not appear in any f\ ( 

In the next example the strictly increasing sequences of elements from have no 

least upper bound, so the least fixed point is the same as the union. 

IV.6. Example: Terminating Unbounded Choice 

The following program has unbounded nondeterminism. 

14 A strictly increasing sequence {} lGu , has Xi < x t +1 and xi ^ x l +i for all i £ ca. 
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(choose = accept [ ] 

send "addl" to choose ; 
send "halt" to choose ; 
become i initially 0 
inside 

accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 
send "addl" to choose 

el se 

if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy) 


This program is almost the same as the 1 oop program given in the last section. When actor oo accepts 
the go message mo, it initializes itself to a state 0 and sends itself both an increment instruction and a 
halt instruction. Since all messages must eventually arrive at their targets, ao will eventually accept this 
halt instruction and terminate. Unlike the 1 oop program, then, the choose program must terminate. 

The initial behavior of ao is b given by 

b : mo (bo, ([ao <— addl], [ao halt])) 

bi (i G ta): addl 1-4 ([ao <— addl])) 
halt i—► (passive, ([user i])) 

passive : m t—► (passive, ()). 

Again it is easy to calculate the least upper bound of the function /*: P[D] —+ P[D]. The stages 
fl (J_) are shown in Figure 11. The least fixed point is 

U fi u)> 

that is, the union of the stages in Figure 11, and the set of completed elements of the least fixed 
point is shown in Figure 12. There are no elements representing nonterminating computations in 
the least fixed point because the strictly increasing sequences of elements from U;<euj/* (J-)> suc h 
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/°(_L) = U} 


pending: 

(k) <- addl «ao, 0)) 

/:u)=^(-L)u{ aH *“ halt 

«o 

l In 


/Hx)=/:(x)u 
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oo +- addl ((do, 1)) 
no < halt ((oo, 0>) 
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oo addl ((ao,0)) 
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[ ] 
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/:u)=/:u)u 

pending: pending: 
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oo halt ((a 0 ,0)) user <— 1 ((do, 2)) 


fi(±) = fl(±) u 
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> m d\ 

K C ] h 

» addl 

j addl 

» addl 

r halt * 


do 


[ ] 
hal t 

addl 


pending: 

no + addl ((do, 0» 
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A addl / 

o addl * 

>J addl ^ 

o addl 

> halt ^ 


no 




[ ] 


addl 


do 

C ] 

addl 
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user 


$ 


\ 


|i 


d 0 addl ((d 0 , 3» d 0 «- addl ((do, 2» ' ,, n 0 <- addl ((do, 1» do 

_ . u« r\\ \ __ Oon user *-l [{Go, Z)) 



(Continued on next page.) 


Figure 11. /j(j_) for choose. 
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/»C-L) = /* (-L) U 

( pending: pending: 

ao 4 -addl ((ao, 4)) ao 4 - addl ((ao, 3» 
ao 4 — halt ({ao,0)) user <- 3 ({ao,4)) 


pending: 

user 4 — 2 ({ao, 3)) 


ao ao . 

< , 

c ] ’ id 

K [ - 1 ’ 1 


addl 7 

\ addl { 

4 

addl 5 

»1 addl /* 


addl 4 

J addl \ 


addl 

t halt 


pending: 

a 0 4 - addl ({a 0 , 2 » 
ao 




f,U) = f 5 .U) u 

'"pending: pending: 

a 0 4 - addl ({a 0 , 5» ao 4 - addl ({ao, 4)) 
ao <— halt ({ao, 0)) user 4— 4 ({ao, 5)) 


pending: 
user 4— 




(<«o, 4)) 



pending: 

ao 4 - addl ({ao, 3)) 


ao 


§ 


¥ 


[ ] 

addl 

addl 
addl 
hal t 

user 
3 


\ u 



/!(x) = /!U)U 

("pending: pending: 

ao 4 — addl ((ao, 6» ao 4 — addl ((ao, 5)) 
ao 4— hal t ((ao, 0)) user 4— 5 ((ao, 6)) 


pending: 

user 4— 4 ((ao, 5)) 


ao 


i 


C ] 

addl 

addl 

addl 

addl 
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addl 


ao 

* 
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C ] 

addl 

addl 

addl 

addl 

addl 
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pending: 
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and so on. 


Figure 11. (Continued from previous page.) /*(J_) for choose. 
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completed (U iew /S(JL)) = 



ao 




«o 




«o 

f 


c ] 

addl 
addl 
addl 
addl 
addl 
hal t 


<c na 11 
user 


addl 





user 


Figure 12. completed (U tGu) fl (-L)) f° r choose. 

as the sequence in Figure 13, do not have least upper bounds in D. Had the power domain been 
formed from the ca-completion 0, the least fixed point would contain an element of D representing a 
nonterminating computation in which an event remains pending forever. 

In the existing implementations of Atolia on sequential machines, tire choose program always 
produces 0, 1, or 2 when run all by itself. This is allowed by loose nondeterminism: implementations 
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pending: 

cio + add 1 ({do, 0» 

JL < oo 4-halt ((ao,0» < 

ao 
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a 0 4- addl ((ao, 1» 
ao 4- halt ((do,0» 
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addl 



pending: 

cio 4- addl ((do, 5)) 
do 4-- halt ((do,0)) 


< 


oo 


4 


[ ] 
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addl 

addl 

addl 

addl 


< 


Figure 13. A strictly increasing sequence in Ui euJ (-1-) with no * east upper bound. 


are not required to preserve all the nondeterminism present in the semantics. 

Even in the existing implementations, however, choose can return a result greater than 2 when 
other programs run pscudo-concurrently. Every bound that might be placed on the result can be 
exceeded by placing a sufficiently heavy burden on the Atolia processor. 


IV.7. Example: Possibly Nonterminating Choice 


Sequential programs with choice points are sometimes used in attempts to model nondeterminis- 
tic concurrency. Such attempts arc bound to fail since choice nondeterminism is bounded. This 
section shows how arrival nondeterminism can successfully model choice nondeterminism. 

The program below uses an “arrives-first” choice. Its nondeterminism is bounded. 
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(choice-loop = accept [ ] 

send "addl" to choice-loop ; 
send "stop" to choice-loop ; 
become i initially 0 ; 

waiting initially false 
inside 

accept [ msg ] 
if waiting 

then if equal [ msg "stop" ] 

then change i to plus [ i 1 ] ; 
change waiting to false ; 
send "addl" to choice-loop ; 
send "stop" to choice-loop 
else dummy 

else if equal [ msg "addl" ] 

then change waiting to true 
el se 

if equal [ msg "stop" ] 
then send i to user ; 

become accept [ ] dummy 
else dummy) 

When actor a 0 accepts the go message m 0 , it initializes itself to a state 0 and sends itself both an 
increment instruction and a stop instruction. It obeys whichever instruction arrives first. That is, if 
cm is in state i and the stop instruction arrives first, then ao sends i to the user and terminates. If the 
increment instruction arrives first, though, then a 0 waits until the stop instruction arrives. When the 
stop instruction arrives, instead of stopping a 0 enters state i -{-1 and begins the cycle again by sending 
itself both an increment instruction and a stop instruction. The initial behavior of oq is 6 where 


b : 

mo (bo, ([ao 4- addl], [ao <- 

stop])) 

bn 

addl i-» (waiti, (}) 



stop »-» ( passive , ([user ♦— i])) 


waiti (i E ta): 

stop i-> (6.-+I, ([ao addl], [ao 

stop])) 

passive: 

m (passive, ()) 



The stages f\ (j_) for the function f\ associated with this program arc shown in Figure 14. The 
least fixed point is shown in Figure 15, and the set of completed elements of the least fixed point 
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(Continued on next page.) 


Figure 14. /*(_]_) for choice-loop. 
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and so on. 


Figure 14. (Continued from previous page.) /*(_[_) for choice-loop. 



U /i (-l) = (U /* (-*-)) U 


Figure 15. The least fixed point |Ji ew /*(-i-) for choice-loop. 

is shown in Figure 16. There is one element in the least fixed point representing a nonterminating 
computation. Therefore the nondeterminism of the choice-loop program is bounded. 

One might argue in defense of choice nondeterminism that if choice probabilities are positive, 
and choices are independent, then programs such as choice-loop should terminate with probabil¬ 
ity 1. Equivalently there should be merge programs that almost always performed a fair merge, in 
the sense that the probability of an unfair merge would be zero. Such a program would be good 
enough for engineering purposes. This argument fails because the nondeterminism that appears in 
a programming language semantics is loose nondeterminism. Implementations are not required to 
preserve all the nondeterminism that is present in the semantics. In particular, implementations are 
free to choose the same alternative in every case, so that in some implementations choice-loop is 
certain not to halt. 

IV.8. Relation to Standard Power Domains. 

Usually in a power domain semantics the least fixed point consists only of completed elements, 
so applying an operation such as “completed” to the least fixed point is unnecessary. It is tempting 
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completed (U^/H-L)) 
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Figure 16. completed (jj 


/*(_!_)) for choice-loop. 



to sec this as a defect of the actor power domain, but the quibble can be met on its own terms by 
the same sort of mathematical sleight of hand that causes least fixed points in other power domains to 
contain only completed elements. For (D, <) a domain, define the frontier of A £ P[D] to be 

frontier (A) = {x G A \Vy G A x y => x = y}. 


Define the frontier closure 15 of A C D to be 

(frontier (4) if A c = (frontier (4)) c ; 

A* — 

k A c otherwise. 

Then define another power domain (P f [D], [Z 7 ) by 


P'[D] = {^|1£/1CD} 


and for all B,C £ P'[D] 

BHJC <=> B C Q C c . 

(P'[D\, fZ 7 } is clearly isomorphic to ( P[D\, [Z) viaA* +-+ A c . 

Consistently replacing references to P[D], C, |J> and c in § 4 b V references to P'[ D], C 7 , U', and 
f defines /* as a continuous function from P 7 [D] to P'[D]. Its least fixed point is precisely the set of 
elements of D that are complete with respect to the initial behaviors. 

What then is the relationship between standard power domains and the power domains used 
here? When D is ca-complete, P[D] is just the standard power domain of D. Chapter III simply 
extends the standard power domain construction to apply to incomplete domains. This chapter 
illustrates the value of that extension. 

For every domain D the power domain P[D] is isomorphic to the power domain PfD] of its 
w -completion D. Nonetheless for some domains P[D] can represent unbounded nondeterminism 
while P[D\ cannot. The key to this seeming paradox is that the concrete interpretation placed upon 
elements of the power domain is important. The purpose of taking fixed points in the power domain 

is not to select a member of an abstract algebraic structure but to define a subset ofD. 

15 'Die frontier closure is a closure operation on the power set of L) with respect to the preorders IZZ and CZi but not 
with respect to CZ. 
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Chapter V 


Locality Laws 


The locality laws postulated by Hewitt and Baker enforce the idea that all information flow 
between actors is by means of message passing. As a practical matter, the locality laws rule out side 
effects to shared environments. Furthermore the information contained in a newly created actor’s 
environment must be a subset of the information in the environment of the actor that created it. The 
locality laws state these restrictions in a fairly abstract way. They are independent of the ordering laws 
inasmuch as they further restrict the set of actor event diagrams. 

This chapter extends the semantics of Chapter IV to deal with actor creation. It gives an example 
of a programming language semantics that violates the locality laws. The chapter closes by suggesting 
that the locality laws ought to be verifiable for the formal semantics of taie actor-based languages. 

V.1. Actor Acquaintances 

In the terminology of programming languages, a procedural object created by associating values 
with the free variables of a syntactic representation of the procedure is called a closure. Closures are 
implemented as a pair of pointers, one pointing to the code to be executed when the closure is invoked 
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and die other pointing to the environment in which the procedure was closed. The environment 
supplies values for the free variables. 

Actors are analogous to closures. A difference between actors and the objects usually called 
closures is that closures can share environments, causing side effects when one closure changes the 
environment of another closure. An actor amounts to a closure whose environment is protected from 
such side effects. 

Just as a closure consists of code and an environment, an actor consists of a script and a vector 
of acquaintances. The script is simply the code for the actor. The vector of acquaintances provides an 
environment in which the script is evaluated when the actor accepts a message. An actor’s vector of 
acquaintances can be altered only by that actor. 

The vector of acquaintances may contain pointers to other actors. While the pointers themselves 
cannot be side effected, the behaviors of the actors pointed to can change when those actors process 
messages sent to them. The vector of acquaintances therefore provides only one level of protection 
against side effects. 

An actor’s vector of acquaintances may contain values other than pointers to other actors, or it 
may consist solely of pointers. In either case the actors that it points to are called acquaintances of 
die actor. An actor may alter its vector of acquaintances while processing a message, so its set of 
acquaintances may change over time. 

V.2. Actor Creation 

In statically scoped languages such as Algol and Scheme 1 closures are created by evaluating a 
procedure abstraction. The environment in effect when die abstraction is evaluated becomes die 
environment associated with the closure. In actor-based languages actors are created by evaluating a 
behavior abstraction. The identifier bindings in effect when the abstraction is evaluated are gathered 
together into a vector of acquaintances. If need be, bindings arc copied to protect diem against side 
effects. 

'Guy Lewis Steele Jr and Gerald Jay Sussman, “The revised report on Scheme: a dialect of lisp”, MIT Artificial 
Intelligence Memo 452, January 1978. 
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Figure 1. Recursive computation of 4!. 

Consider the following subprogram, which computes the factorial function. 


(factorial = accept [ continuation n ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send 1 to continuation 
else (create ((multiply-by-n 

= accept [ x ] 

send times [ n x ] to continuation)) 
send [ multiply-by-n (minus [ n 1 ]) ] 
to factorial)) 

The toy language in which this subprogram is written was designed to make actor creation explicit. If 
this subprogram is sent the message 

[ user 4 ] 
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it will create three new actors, ai, a 2 , and < 23 , before die result, 24, arrives at the user actor. Actor 
a\ is created as a result of the first event in the arrival ordering of factorial, a 2 is created as a 
result of the second event, and a .3 is created as a result of the third event. The event diagram for the 
computation is shown in Figure 1. 

The three created actors share the script 

accept [ x ] 

send times [ n x ] to continuation 

This script has two free identifiers, n and continuation. When factorial accepts the 
message [ user 4 ], it binds continuation to user and n to 4, and those are the bindings in 
effect when die c reate command is first encountered, so the vector of acquaintances for a\ is 

identifier value 

n 4 

continuation •- user 



126 



The distinction between iterative and recursive programs can be easily expressed in the actor 
model: iterative programs do not create any new actors. 2 The following tail-recursive program, for 
example, is iterative. 


(factorial = accept [ continuation n ] 

send [ continuation n 1 ] to loop) 

(loop = accept [ continuation n product ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send product to continuation 
else send [ continuation 

(minus [ n 1 ]) 

(times [ n product ]) ] 
to loop) 


The actors created by the recursive version of factorial never change their vectors of ac¬ 
quaintances. For an example of an actor that changes its vector of acquaintances, consider the 1 oop 
program of §IV.5: 


(loop = accept [ ] 

send "addl" to loop ; 
become i initially 0 
inside 

accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 
send "addl" to loop 

el se 

if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy). 


Its vector of acquaintances starts out with two entries, one of which points to 1 oop itself. 

2 Carl Hewitt, “Viewing control structure as patterns of passing messages”, Artificial Intelligence 8, 1977, pages 323-363. 
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identifier 

1 oop 
user 


value 


• -> loop 

• -^ user 


Upon accepting its first message loop adopts a new behavior, differing in both the script and in the 
vector of acquaintances: 


identifier 

value 



• 

i 

0 



loop 

•— 


loop 

user 

•— 


user 


It then proceeds to increase the value of i each time it accepts an addl message. 

V.3. Locality Laws Add Power 

Hewitt and Baker 3 have proposed locality laws stating reasonable restrictions on the set of ac¬ 
quaintances of an actor and relating acquaintances to actor event diagrams. This section gives a 
variant of die locality laws and shows that adding the locality laws to the ordering laws considered in 
Chapter II gives a more powerful theory. 

To the structure 

(E, A, T, — act—*, Arr) 

considered in Chapter II and consisting of the set of events, the set of actors, the target function, the 
activation ordering, and the set of arrival orderings, add three new objects acq, Ao, and creation to 
obtain a structure 

(E, A, T, — act—*, Arr, acq, Ao, creation). 

acq is a function: E —*■ subsets (A) giving for each event e the set of acquaintances of T[e) at the 

time of the event e. Intuitively acq(e) is die set of actors diat the target of e already knew about 

3 “Laws for communicating parallel processes”, IFIP-77, Toronto, August 1977, pages 987-992, and “Actors and continuous 
functionals”, 1FIP Working Conference on Formal Description of Programming Concepts, St Andrews, New Brunswick, 
Canada, August 1977, 16.1-16.21. 
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when it accepted the message of e. Ao is the set of primeval actors, the set of actors that exist when 
computation begins. Thus Ao is a finite subset of A. creation is a function: (A — Ao) —► E giving for 
each actor created in the course of computation the event that caused its creation. 

Hewitt and Baker stated the locality laws in terms of a fourth new object, the participants in an 
event. The participants in an event are those actors that the target of the event knows about while 
processing the message of tine event. The participants are thus the acquaintances of the target together 
with the actors mentioned by the message. 

For an external event, the message can mention an arbitrary finite set of actors, so there is no 
restriction on the participants of an external event except that they form a finite set. 4 For events that 
are not external, though, the participants must come from among the acquaintances of the target of 
the event, the actors created by the event, and the participants in the activator of the event. 

Rather than introduce the participants function into the structure, this section treats it like 
global time and simply asserts the existence of a function with die required properties. The locality 
laws then become 

Law of Finite Acquaintances, acq (e) is finite for every e £ E. 

Existence of Participants Function. There exists a function participants: E —► subsets (X) 
satisfying the following laws. 

Finite Interaction Law. participants (e) is finite for every e £ E. 

Let created (e) = { a £ A — Aq | creation (a) — e }. 

Original Acquaintances Law. If a is a created actor, that is, a (f Ao, and e is the first event in the 
arrival ordering of a, then 

acq (e) Cl participants ( creation (a)) [J created ( creation (a)). 


4 Perhaps there should be a restriction that the message of an external event can mention only primeval actors. 
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Arrival Precursor Acquaintances Law. If a — T (e) ande has an immediate predecessor d in the 
arrival ordering of a, that is, d — arr a —► e and ->3e" d — arr a —► d‘ — arr a —*• e, then 

acq (e) Cl participants ( d ) J^J created (d). 


If e E E is not external, then let activator (e) be the activator of e, that is, the unique immediate 
predecessor of e in the activation ordering — act —>. 

Activator Acquaintances Law. 7/eGE is not external then 

T ( e) E participants (activator (e)) created (activator (e)) 


participants ( e ) Cl acq (e) participants (activator ( e )) J^J created ( oxtivator (e)). 


The second half of the last law differs somewhat from Hewitt and Baker’s formulation. 

The first half of the Activator Acquaintances Law relates the locality laws to the actor event 
diagrams. Adding the locality laws to the ordering laws produces a more powerful theory, as shown by 
die following actor event diagram which satisfies all the ordering laws of Chapter II but is ruled out by 
die locality laws. 

The actor event diagram is shown in Figure 2. The idea is that two actors a and a' never com¬ 
municate with each other, so they can have only a finite amount of information in common, but each 
sends messages to the same infinite set of actors. That cannot be, because there is no way the same 
infinite set of pointers to actors can pass through both of a and a'. 

Formally the actor event diagram of Figure 2 is described by the structure 

(E, A, T, — act— », Arr) 
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Figure 2. An actor event diagram that violates the locality laws. 


where 

E = { e, e'} e, | z e > (J^ 

A = {a, a'} |J{ fl,|t Gw} 

T(e) = a 
T M = a! 

Ci — arr u —+ e\ for all i £uj 
e, e' are external events 
e —act —► for all i Gw 

d — act—* e'- for all i £uj 

This structure satisfies the ordering laws of Chapter II, yet there is no way to extend it to a structure 

(E, A, T, — act—*, Arr, acq, Aq, creation) 


satisfying the locality laws. Proof: suppose there were such an extension, with a given participants 
function satisfying the locality laws. Then participants (e) and participants ( e') are both finite, 
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so their union is also finite. Let n £ w be such that a n is not in their union, e and e' are the 
only external events, so the Activator Acquaintances Law applies at both e n and d n . Furthermore 
e = activator (e n ) and e' = activator (e' n ). Hence creation (a n ) — e and creation (a n ) — e', a 
contradiction. 

This actor event diagram can be modified so that there is only one external event and no event 
activates infinitely many events, and a similar proof will still go through. 

§11.7 showed that the ordering laws were independent of the locality laws. This section has 
returned the favor by showing that the locality laws are independent of die ordering laws. 

V.4. Semantics with Actor Creation 

Chapter IV gave a power domain semantics for actor-based languages without actor creation. 
This section extends die semantics of Chapter IV to permit actors to be created during the course of 
computation. 

The concept of programming language semantics that has die most to do with the technical 
adjustments in this section is the concept of a store. Usually a store is a mapping from locations 
to stored values. Here it will be a mapping from actor names, or network addresses, to behaviors. 
Usually updated versions of die store are passed from semantic function to semantic function. Here 
and in Chapter IV the original store is passed together with enough history to reconstruct the updated 
store. Usually the question of exactly which unused location is pressed into service when a new object 
is created is left unanswered by programming language semandeists. On this question, and often on 
this question only, semanticists usually resort to axioms rather dian give a concrete denotation. 5 Here 
a concrete answer will be given to the question of which unused actor name should be allocated to 
a new actor. However, the set of actor names will not bear any resemblance to the space of network 
addresses for real machines. The correspondence between actor names and network addresses is to be 
determined by die storage management module in real implementations. 

5 Sce for example the discussion of ne w in § J . -1.2 of Milne and Strachey, A Theory of Programming Language Semantics, 
Chapman and Hall, Ixrndon, 1976. 
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The semantics given in §IV.4 begins by assuming a function 

<?(Q):A F 

giving the initial behavior of each actor. The obvious way to extend the semantics to deal with actor 
creation is to let 3* (Q) specify only the behaviors of primeval actors and to let the semantics keep 
track of the behavior of a created actor beginning with the time of its creation. This approach is 
sound, would work, and is the approach usually taken, but it would require significant revisions to the 
power domain semantics of Chapter IV. The revisions would be necessary because of a shortcut that 
was taken to simplify the semantics. The semantics in Chapter IV does not associate a mapping from 
actors to current behaviors with each event diagram. Rather it computes current behaviors from the 
initial behaviors and the initial history provided by an event diagram. 

This section instead makes ^ (Q): A —► F give the initial behavior of every actor, primeval 
and created alike, that could possibly exist during a computation. That is accomplished through the 
inelegant technical trick of coding within the name of each created actor a pointer to its creation 
event. Indeed a created actor’s name will include the entire local history of the actor that created it, 
up to and including its creation event. To be specific, the set of actor names is defined by the reflexive 
domain equation 

A = { user} + ({program }xN) + ((AxM + ) xN) 

where user and program are distinct atomic symbols, N is the flat domain of natural numbers, and 
M + is the domain of nonempty sequences of messages. The interpretation of the actor names is as 
follows. 

user is one of the primeval actors. It is meant to denote a terminal, file, or operating system 
through which programs can communicate results to their user. 

( program, 0) is the first actor declared in a program, so it too is a primeval actor. In general 
(program, v) is the (v -f l)th of the primeval actors declared in a program. All actors of the form 
(program, v) are primeval if they exist. 

((a,p*),v) is the name of the (u -f- l)th actor created as a result of the nth event in the arrival 
ordering of a, where n is the length of the sequence p*. The zth element of p* is the message of the 


133 



ith event in the arrival ordering of a. Thus y* codes the local history of a that led to the creation of 
((a, n*), v). Note that if a is itself a created actor then the name ‘a’ points to its creation event, and so 
on. In this way every actor name traces history all the way back to a primeval actor, making possible 
an inductive definition of*? (Q) with the primeval actors as the basis for the induction. 

Recall that in § IV.2 the behavior domain was defined via the equation 

F = M —> (F x (Ax M)*) 

so a behavior was a function from messages to pairs consisting of a new behavior and a finite sequence 
of messages sent to target actors. Allowing actors to create a finite number of new actors upon 
accepting a message causes the behavior domain to become 

F = M —► G -4 (F x (A x M)* x F*) 

where an element of F* is a finite sequence of behaviors—the initial behaviors of the created actors. 
An element of G is an actor name generator producing the names to be given to the actors created in 
an event. The domain G is defined by 

G = A x G. 

The only changes that need to be made to §IV.4 to accomodate actor creation are caused by 
the addition of actor name generators to the behavior domain equation. The semantics must supply 
behaviors with both a message and the correct actor name generator. 

The definition in §IV.4 of the successive behaviors of an actor a must be changed to 

b(a, 0 ) = «|>(Q)o 

b [a, n -f 1 ) = next (b (a, n) (M ((a, n))) 7 n+i) 
where q n +i is the actor name generator producing the new actor names 

{(a,^),0), ((a,/i*>, 1), ((a,/i*>,2), .... 

Here y* is a list of the first n -f 1 messages to arrive at a. Thus 

= gamma [(a, history (a, n -f- 1 ))) 
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where gamma is as defined in the appendix and history is defined by 

history (a, 0 ) = {) 

history (a, n -f-1) = [history (a, n)) § ( M ((a, n))) 

where § indicates concatenation of sequences. 

In the definition of g (_]_) in §IV.4 the pending events P must be changed to 

P = pend [9 [Q)a 0 nM)')) X { (oq, 0) }, 


where 


7 = gamma [(ao, (mo») 


while in the definition of x [a, m, e) the pending events P f must be changed to 


P' — [P — { ((a, m), e) }) \+j(pend (behavior (a) rn 7 ) X «<*.»») 


where 

7 = gamma [{a, (history [a, n )) § (m)))). 

In the definitions of augmented actor event diagrams consistent with respect to the initial behaviors 
and complete with respect to the initial behaviors the left hand side of the main equation must be 
changed from 

pend (6 (a, n) (M (e))) 
to 

pend (b (a, n ) (M (e)) 7 ) 

where 

7 — gamma ((a, history (a, n -j- 1 ))). 

The theorems of § IV.4 are unaffected by these technical changes. The changes make possible 
a definition of^(Q): A —► F giving an initial behavior for all actors that could possibly be created 
during computation. The appendix contains the details. 
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By way of apology I would like to quote Milne and Strachey : 6 


In situations where any one of a large number of models is equally satisfac¬ 
tory it might well seem better to give a set of axioms which all the models 
need to satisfy and to refrain from making the extra and arbitrary choices any 
particular model involves. We shall not adopt this course, because the use of 
a particular model allows us to give our results a more concrete form and, we 
think, improves the intelligibility of an already complex subject. 


Readers who feel that the treatment of actor names in this section is a counterexample to that argu¬ 
ment have my sympathy. 


V.5. A Toy Language 

A dissertation on defining the semantics of actor-based programming languages ought to define 
the semantics of an actor-based programming language. The appendix presents the semantics of a toy 
language illustrating actors, culminating in a function 

Act —► (A —* F) 

giving for each program in Act an assignment of initial behaviors to actors. At that point the power 
domain semantics of Chapter IV takes over. 

The toy language presented in the appendix, dubbed Atolia for ease of reference, was designed 
expressly to illustrate this dissertation. It is a horrid programming language, as the sample programs in 
the appendix demonstrate. The one thing Atolia does well is reflect the semantics of message passing 
and actor creation. 

An interpreter for Atolia programs has been written in Lisp for the DEC PDP-10 and the Lisp 
Machines at the MIT Artificial Intelligence Laboratory. The interpreter normally runs programs 
pseudo-concurrently and is nondcterministic. Efficiency was not a concern when the interpreter was 
built. Comparisons made on the PDP-10 show that Atolia programs run three to seven times slower 
6 ibid. 
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than comparable Scheme 7 programs. Implementation and testing of the interpreter took ten person- 
days. The Atolia programs contained in this dissertation were tested using the interpreter. 


V.6. The Locality Laws may not Hold 

Do die locality laws hold for Atolia? The semantic definition of Atolia given in the appendix does 
not answer that question because the definition is incomplete. The semantic function 

0: Opr —► V —> V 

giving die meaning of primitive operators is not defined. If Atolia has sufficiently strange primitive 
operators, dien the locality laws do not hold. Let oq, ai, a 2 ,... be distinct actors, and consider the 
function strange: V —► V defined by 

{ ao in V if e = true in V; 
j-i in V if e = a* in V; 

6 otherwise 

where (a in V) is the injection of a into die domain V. If Atolia contains a primitive operator 
strange such that 

0 [strange] = strange 

then the locality laws do not hold. The reason is the primitive operator strange makes it possible 
for an actor to send messages to an infinite set of actors without ever creating an actor or accepting a 
message from any actor other dian itself. Consider the program 


7 Guy Lewis Steele Jr and Gerald Jay Sussman, "The revised report on Scheme: a dialect of Lisp”, MIT Artificial 
Intelligence Memo 452, January 1978. 
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(startup = accept [ ] 

send strange(true) to A ; 
send strange(true) to B) 

(A = accept [ actor ] 

send "greetings" to actor ; 
send strange(actor) to A) 

(B = accept [ actor ] 

send "greetings" to actor ; 
send strange(actor) to B) 


This program does not heed the locality laws. The actor event diagrams that correspond to its com¬ 
putations resemble the actor event diagram proved in §3 to violate the locality laws. 

The effect of the locality laws is to mle out such strange primitive operators. To put it differently, 
the locality laws call on a semantics to account for such operators in terms of message passing and 
actor creation so that they no longer appear as primitives. The point is that the locality laws do not 
automatically hold for a programming language semantics. A semantics for which the locality laws fail 
may be perfectly acceptable for some purposes, but it is not a true actor semantics. 


V.7. The Locality Laws may be Provable 

The previous section showed diat if the primitive operators of Atolia are ill behaved, then the 
locality laws do not hold. If on the other hand the primitive operators are well behaved, then the 
locality laws do hold for Atolia. 

This claim has the status of a conjecture rather than a proved theorem. Its proof would involve 
a structural induction encompassing every semantic equation in the appendix, and that structural 
induction has not been carried out. Nonetheless a compelling plausibility arguement can be based on 
a simple inspection of those equations. 

The value domain of Atolia is 

V = T + N + R + H* + A + V* 
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where A is the domain of actors, V* is the domain of sequences of values, and the other domains are 
basic domains not involving actors. 8 Define the set of actors embedded in a value e £ V as s (e) where 

ifeET; 
ifeE N; 
if e E R; 
ifeEH*; 

if e E A ande | A = a; 
ifeE V* ande | V* = (); 
if e E V* ande j V* = (e 0 ,...,e„). 

(Here e | D is the projection of e to the domain D .) A primitive operator O £ Op r is well behaved iff 
for all e £ V 

* (OlOJe) C < (e) 

so that applying the operator to a value produces a result value embedding only actors that were 
already present in the argument value. If every Atolia operator is well behaved in this sense, then the 
locality laws hold. 

Idea of proof: it should be clear how to define the primeval actors A 0 and the creation function 
creation for a computation performed by an Atolia program. There are several ways to define the 
acquaintances function acq. The simplest way is to define 

acq{e)= (J s(p|I]) 

Ielde 

where p is the environment giving the values of identifiers appearing in the script of T ( e ) at tire time 
of the event e. An alternative is to take the union only over those identifiers appearing free in the 
script of T (e). Both definitions serve the purpose. From either one a participants function can be 
defined by 



participants (e) = 


-{ 


acq (e) 

acq (e) (J participants (e / ) (J created (e') 


if e is external; 
ifV = activator (e). 


8 In Actl the value domain is V = A because everything is an actor. Actl does not have primitive operators, but has 
primitive actors, which Atolia docs not have. With a lew changes mandated by those differences the remarks of this 
section would apply equally to proving the locality laws for Actl. 
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participants (e) is thus the set of ab actor names that could possibly be accessible to the target of e 
while it is processing the message of e. Defining participants (e) = acq (e) for external events works 
only because the single external event of an Atolia computation mentions no actors. If the message 
of an external event could mention actors, then those actors would have to be included among the 
participants. 

The second half of the Activator Acquaintances Law is immediate from the definition of 
participants. 

Since only finitely many identifiers are bound in the initial environment, the identifier binding 
mechanisms of Atolia bind only finitely many identifiers at a time, and Atolia scripts always terminate, 
only finitely many identifiers can become bound as the result of an event. Furthermore created ( e ) is 
always finite. An induction on the number of predecessors of an event in the combined ordering thus 
proves both the Law of Finite Acquaintances and the Finite Interaction Law. 

Yet to be established arc the Original Acquaintances Law, the Arrival Precursors Acquaintances 
Law, and the first half of the Activator Acquaintances Law. These are the nontrivial locality laws. 
They all depend upon the idea that the only way an actor name can become known to an actor a is by 
being present in the environment prevailing when a is created, by being part of a message sent to a, or 
by being the name of an actor created by a. Proving the locality laws for Atolia amounts to verifying 
this idea from the semantic equations given in the appendix. 

Inspection reveals that the only possible problem is the primitive operators. So long as they are 
well behaved, though, an actor cannot use them to come up with any new actor names that the actor 
doesn’t already know about. If the primitive operators are well behaved, therefore, the locality laws 
hold. 
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Chapter VI 


Conclusion 


This thesis has set forth the foundations of a theory of semantics for nondcterministic program¬ 
ming languages based on the actor model of concurrent computation. To that end, the thesis has given 
a precise account of the actor model. It has justified the ordering laws using a notion of global time 
realizability. It has demonstrated a constraining effect of the locality laws. It has analyzed notions of 
concurrency and nondeterminism. It has extended a standard power domain constaiction to apply to 
incomplete domains, and has used that extension to define a power domain semantics for actor-based 
languages. 

The actor semantics presented in this thesis is not very abstract because the event diagrams 
contain far too much operational information for most purposes. For example, the Atolia program 


(f = accept [ ] send [ ] to g) 
(g = accept [ ] send 0 to user) 
(h = accept [ ] dummy) 


does not have the same meaning as 



(f = accept [ ] send [ ] to g) 

(h = accept [ ] dummy) 

(g = accept [ ] send 0 to user) 

because the second actor to be declared receives a message in the first program but not in the second. 
This is analogous to a problem that arises in standard semantics when two programs that are intui¬ 
tively equivalent turn out to have different meanings because they use storage in slightly different 
ways. 1 In standard semantics the problem is made much less severe by concentrating on the final 
output of a program. In actor semantics it is not clear what should be considered the final output, 
though often the only thing of importance is the arrival ordering of a particular actor such as user. 
This matter deserves further attention. 

The semantics presented in this thesis needs to be extended to other kinds of actors besides 
primitive serializers. One goal of this extension should be to make it possible to regard a complex 
system of actors as a single actor. 

The technique of building power domains from incomplete domains is not limited to actor 
semantics. A fair power domain semantics for dual processors communicating via shared memory 
can also be constructed using this technique. I conjecture that an incomplete history domain could 
be used to construct a fair power domain semantics for the language of Communicating Sequential 
Processes. 

The power domains with incomplete underlying domains that have so far occurred to me seem 
unpleasantly operational, but the real limitations of the idea are not yet known. 

The category of (possibly incomplete) domains and ^-continuous maps as defined in Chapter III 
is closed with respect to the usual domain constructors +, x, *, —►, and the power domain construc¬ 
tion P[ ■ } of Chapter III. A theorem stating conditions under which reflexive domain equations have 
solutions in that category would be very useful. 


*See §4.1.1 of Robert Milne and Christopher Strachey, A Theory of Programming Language Semantics, Chapman and 
Hall, London, 1976. 
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Appendix I 


Atolia: Informal Description 


This appendix describes the abstract syntax and informal semantics of a toy language illustrating 
actors. 
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Atolia 


(a toy language illustrating actors) 
Version 0 


Syntactic domains 


I E Ide 

identifiers 

BE Bas 

bases 

OE Opr 

operators 

EE Exp 

expressions 

TE Com 

commands 

E Abs 

abstractions (scripts) 

A E Dec 

local declarations 

E E Act 

actor script declarations 


Productions 

E ::= B | OE | I | [E 0 - • E n ] 

| if E 0 then Ei else E 2 | (E) 

r ::= dummy | change I to E | become $ | send Eo to Ei 

| create (E) V | IV, r L | if E then r 0 else | (r) 

::= accept [Io* * *In] r | A inside <£ | if E then $0 else <I>i 

A :: = I initially E | I = E | Ao; Ai | (A) 

E :: = (I = $) | E 0 Ei 


(<*>) 
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Expressions 


Bases 

B 

The bases are the constants and literals, such as the booleans true and fal se, the numerals 
representing integers such as 0 and 1, representations for whatever other number types are needed, 
and character strings such as” this is a string". They evaluate to the basic values of the 
machine. 

Operator applications 
OE 

An operator application consists of an operator followed by an expression. To simplify the 
language, all operators take exactly one argument, but the effect of two or more arguments can be 
obtained by using a sequence as the argument. The expression is evaluated and fed to the operator, 
which returns a single result value. As is the case for all Atolia expressions, there are no side effects. 

Among the operators are predicates and functions such as equal, actorp, plus, and times. 
The operators of Atolia are fixed by the language; users cannot define additional operators. 

Identifiers 

I 

An identifier denotes a basic value, an actor, or a sequence of denoted values. In other words, an 
identifier can denote the result of any Atolia expression. Identifiers are bound by local declarations, 
by the patterns of accept statements, and by actor script declarations. 
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Sequences 
[Eo- • E n ] 

A list of expressions in brackets indicates a sequence of values. Since sequences are themselves 
expressions, sequences may be nested. 

Conditional expressions 
if Eo then Ei else E 2 

The expression in the predicate position must evaluate to a boolean value. If it evaluates to true, 
the expression following the then is evaluated and becomes the value of the conditional expression; 
otherwise the expression following the el se is evaluated and becomes the value of the expression. As 
with all expressions in Atolia, the predicate expression has no side elfects. 

Parenthesized expressions 

(E) 

Parentheses are ignored by the semantic equations. They appear in the abstract syntax to allow 
syntactically unambiguous programs to be written. 
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Commands 


Dummy commands 

dummy 

The dummy command has no effect. 

Assignments 
change I to E 

The change command causes the identifier to denote a new value. The identifier being 
changed must be mutable; in other words, it must have been declared by a declaration of the form I 
initially E. 

New behaviors 
become 4> 

The become command specifies a new behavior for the actor, to become effective when the 
actor unlocks. Only a subsequent become command can override the newly specified behavior. The 
free identifiers of $ are bound to the values they denote when the become command is executed. 
Identifiers that are mutable at the time of the become command remain mutable in $ unless 
redeclarcd or bound. 

Transmissions 
send Eo to Ei 

The send command evaluates expression Eo and sends the result as a message to the actor 
specified by Ei. El must evaluate to an actor, of course. 

Actor creations 
create (E) V 

The create command is similar to the 1 etrec expression of ISWIM and the 1 abel s expres¬ 
sion of Scheme. It permits the creation of mutually recursive actors. First the identifiers denoting 
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the newly created actors are bound to their newly allocated network addresses. Then the behaviors 
of the new actors are fixed by binding the free variables of their scripts in the resulting environment. 
The new actors are not permitted to change the state variables of their creating actor, however, nor do 
subsequent changes by their creating actor affect the values of identifiers in the new actors. Then the 
creating actor executes a command before discarding the environment that contains the addresses of 
the new actors. The command may send messages to the new actors or may change a state variable to 
remember some of them as new acquaintances; there is no point to a create command of the form 
(create (E) dummy). 

Sequencing 

r 0 ; r i 

To is executed, followed by IY Atolia has no gotos or other sequencers that could alter the 
sequential order of execution. 

Conditional commands 
if E then To else Fi 

The expression must evaluate to a boolean. If the result is true, To is executed; otherwise Ti is 
executed. The evaluation of the predicate expression has no side effects. 

Parenthesized commands 

(H 

Parentheses are ignored. 
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Abstractions (Scripts) 


Accept statements 
accept [Io'-'In] r 

The accept statement specifies a behavior. In Lisp terms, it is a lambda expression that 
evaluates to a closure when it is encountered as part of an actor script declaration or become state¬ 
ment. When the actor whose behavior it specifies first receives a message, it locks, binds identifiers Io 
through I„ to components of the message, executes the command T, and then unlocks. The command 
T may cause messages to be sent and/or actors to be created. T also determines a new behavior for 
the actor. If executing T does not result in executing any become or change commands, the new 
behavior is the same as the old. If become commands are encountered, the last one determines the 
new behavior of the actor, change commands can alter the behavior of an actor by changing the 
values of mutable identifiers. 

The identifiers bind to message components as follows. Usually the message is a sequence, in 
which case the elements of the message pair one-for-one with the corresponding identifiers, proceed¬ 
ing from left to right. If the message sequence is longer than the list of identifiers, the extra message 
components are ignored. If the list of identifiers is longer, the extra identifiers bind to the empty 
sequence. If the message is not a sequence, every identifier in the identifier list binds to the value 
of the message. If the identifier list is empty, no identifiers are bound and the message acts only to 
initiate execution of the command T. The exact manner in which the identifiers are bound to the 
message components is to a great extent arbitrary, of course. The language Actl, on which Atolia is 
based, uses a considerably more sophisticated matcher. 

Abstractions governed by local declarations 

A inside 0 

The purpose of a local declaration is to bind identifiers referred to inside an abstraction. 


149 



Conditional abstractions 
if E then $o else 4>i 

The expression must evaluate to a boolean. If the result is true, then $0 is the abstraction to be 
used. Otherwise 4>i is used. 

Parenthesized abstractions 

(*) 

Parentheses are ignored. 
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Local Declarations 


Mutable declarations 
I initially E 

The expression is evaluated and bound as the value of the identifier. 

Identifiers declared using i n i t i al 1 y are similar to “own” variables bound at declaration time. 
They are state variables of the actor whose abstraction contains their declaration. Only that actor can 
alter them by change commands. When new actors are created, the new actors’ scripts may refer to 
state variables of the creating actor, but the value denoted by those references is fixed as the value 
of the state variables at the time of the created actors’ declarations. Not only can the created actor 
not change them, but subsequent changes by the creating actor do not affect the value seen by the 
created actor. 

Immutable declarations 
I = E 

Identifiers declared in this way cannot be altered except by being bound in a subsequent local 
declaration, accept statement, or actor script declaration. 

Sequencing of declarations 

A 0 ; At 

Ao is evaluated, followed by Ai. 

Parenthesized declarations 

(A) 

Parentheses are ignored. 
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Actor Script Declarations 


Script declaration 
(I = *) 

The purpose of a script declaration is to bind an identifier I to a new actor whose initial behavior 
is given by . See the create command. 

Sequences of script declarations 

S 0 Si 

The order of script declarations is irrelevant (except when the same identifier is used twice, in 
which case the compiler ought to warn the programmer). See the create command. 


Programs 

An Atolia program is an actor script declaration. The program will be started by sending an 
empty message to the first actor declared in the program. The program may request input from and 
send output to a special actor denoted by user in the initial environment. The actor denoted by 
user may be a terminal, a file, or an operating system. 
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Appendix II 


Atolia: Sample Programs 


Iterative (tail recursive) factorial subprogram: 

(factorial = accept [ continuation n •] 

send [ continuation n 1 ] to loop) 

(loop - accept [ continuation n product ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send product to continuation 
else send [ continuation 

(minus [ n 1 ]) 

(times [ n product ]) ] 
to loop) 


Recursive factorial subprogram: 

(factorial = accept [ continuation n ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send 1 to continuation 
else (create ((multiply-by-n 

= accept [ x ] 

send times [ n x ] to continuation)) 
send [ multiply-by-n (minus [ n 1 ]) ] 
to factorial)) 
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A subprogram that creates instances of queues: 

(create-queue 

- accept [ continuation ] 
create ((queue 

» q initially [ ] 
inside 

accept [ c op x ] 
if equal [ op "empty?" ] 

then send equal [ q [ ] ] to c 
else 

if equal [ op "length" ] 
then send length(q) to c 
el se 

if equal [ op "head" ] 

then send if equal [ q [ ] ] 

then "error -- empty queue has no head" 
else first(q) 

to c 

el se 

if equal [ op "enque" ] 

then change q to append [ q [ x ] ] ; 
send "ok" to c 

else 

if equal [ op "deque" ] 
then if equal [ q [ ] ] 

then send "error -- can’t deque an empty queue" 
to c 

else change q to rest(q) ; 
send "ok" to c 

el se 

send "error -- unrecognized operation on queue" to c)) 
send queue to continuation) 
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A program to calculate and print the prime numbers 
using a parallel version of the Sieve of Eratosthenes: 


(print-primes = accept [ go ] 

send [ print-primes "request" ] to sieve ; 
become 

accept [ c r prime ] 
if print (prime) 

then send [ print-primes "request" ] to sieve 
else dummy) 

(integers = n initially 2 
inside 

accept [ c request ] 

send [ integers "reply" n ] to c ; 

change n to plus [ n 1 ]) 


(sieve ■ 

generator initially integers ; 
waiting-consumer initially [ ] 
inside 

accept [ c r prime ] 
if equal [ r "request" ] 

then change waiting-consumer to c ; 

send [ sieve "request" ] to generator 


else 

if equal [ r "reply" ] 

then send [ sieve "reply" prime ] to waiting-consumer ; 

(create ((filter * 

waiting-consumer initially [ ] ; 
candidate initially 0 ; 
multiple initially prime 
inside 

accept [ c r n ] 
if equal [ r "reply" ] 

then if lessp [ multiple n ] 
then change multiple 

to plus [ multiple prime ] ; 
send [ c r n ] to filter 

el se 

if equal [ multiple n ] 

then send [ filter "request" ] to generator 
else 

if lessp [ n multiple ] 

then if equal [ waiting-consumer [ ] ] 
then change candidate to n 
else send [ filter "reply" n ] 
to waiting-consumer ; 
change waiting-consumer to [ ] 
send [ filter "request" ] 
to generator 

else dummy 

else 

if equal [ r "request" ] 

then if equal [ candidate 0 ] 

then change waiting-consumer to c 
else send [ filter "reply" candidate ] to c 
change candidate to 0 ; 
send [ filter "request" ] to generator 

else dummy)) 

send [ filter "request" ] to generator ; 
change generator to filter) 
else dummy) 
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I 


A subprogram that acts as a stack: 

(stack = elements initially [ ] 
inside 

accept [ continuation op x ] 
if equal [ op "push" ] 

then change elements to [ x elements ] ; 
send "pushed" to continuation 

el se 

if equal [ op "pop" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else change elements to second(elements) ; 
send "popped" to continuation) 

el se 

if equal [ op "top" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else send first(elements) to continuation) 

else 

if equal [ op "empty?" ] 

then send equal [ elements [ ] ] to continuation 
el se 

send "error -- undefined operation on stack" to continuation) 
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The LOOP program of Chapter IV: 


(loop = accept [ ] 

send "addl" to loop ; 
become i initially 0 
inside 

accept [ msg ] 

if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 
send "addl" to loop 

else 

if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy) 


The unboundedly nondeterministic CHOOSE program of Chapter IV: 

(choose = accept [ ] 

send "addl" to choose ; 
send "halt" to choose ; 
become i initially 0 
inside 

accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 
send "addl" to choose 

el se 

if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy) 


The possibly nonterminating CHOICE-LOOP program of Chapter IV: 

(choice-loop = accept [ ] 

send "addl" to choice-loop ; 
send "stop" to choice-loop ; 
become i initially 0 ; 

waiting initially false 
inside 

accept [ msg ] 
if waiting 

then if equal [ msg "stop" ] 

then change i to plus [ i 1 ] ; 
change waiting to false ; 
send "addl" to choice-loop ; 
send "stop" to choice-loop 
else dummy 

else if equal [ msg "addl" ] 

then change waiting to true 
else 

if equal [ msg "stop" ] 
then send i to user ; 

become accept [ ] dummy 
else dummy) 
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Appendix III 


Atolia: Comparison with Actl and CSP 


Atolia is a toy language designed to illustrate actors. In most respects Atolia is merely a simplified 
form of the experimental language Actl. 1 A multiprocessing version of a small dialect of Actl has 
been implemented on the MIT Lisp Machines using the Chaosnet for interprocessor communication. 
Nondeterministic single processor implementations with simulated concurrency exist for Atolia on the 
MIT Lisp Machines and on the MIT AI Lab’s PDP-10. 

Actl has a number of syntactic features not found in Atolia. Whereas in Atolia continuations 
must be passed as explicit message components, Actl has conventions that allow most continuations 
to be suppressed. Whereas an Atolia program can create actors only through the create command, 
Actl programs create many actors implicitly. These features of Actl make programming easier, but 
the large doses of syntactic sugar obscure what is really going on in terms of actor semantics. Since 
illustrating actor semantics is the whole purpose of Atolia, its syntax is less refined than Actl’s. 

The only major semantic difference between Atolia and Actl is that everything in Actl is con¬ 
sidered to be an actor. For example, the behavior of an actor in Actl is another actor; an actor’s state 
variables are also actors. This must not be taken too seriously because it leads to an infinite regress of 
message passing, as an actor consults its behavior to see what to do, and its behavior then consults its 
behavior, and so on. It is also hard to understand how a primitive serializer that has asked its behavior 

'Carl Hewitt, Giuseppe Attardi, and Henry Liebcrman, “Specifying and proving properties of guardians for distributed 
systems,” Semantics of Concurrent Computation, Springer-Verlag Lecture Notes in Computer Science 70, 1979, pages 
316-336. 


158 



how to act on a message it has accepted can accept the behavior’s reply while remaining locked from 
the original message. 2 

In Atolia, however, actors correspond to network addresses identifying code segments. The be¬ 
havior of an actor is not itself an actor, but is instead a mathematical function defined by the actor’s 
code via a conventional programming language semantics. The behavior of an actor bears the same 
relation to the actor that the a priori meaning of a process bears to the process in the semantics of 
Communicating Sequential Processes. 3 

Actors in Atolia are similar in other ways to the processes of Communicating Sequential 
Processes (CSP). 4 (So are the actors of Actl, but Atolia is more like CSP than is Actl.) Like CSP 
processes, actors cannot access each other’s local variables, and aside from actors acting as data struc¬ 
tures there are no global variables. As with CSP processes, all interaction between actors takes place 
through message passing. 

CSP processes whose repetitive commands have only input guards and whose alternative com¬ 
mands have as guards either all input guards or all boolean guards are roughly comparable to actors 
whose command body contains no create commands. Atolia has no counterpart to the automatic 
termination of a repetitive command with input guards, however, so an actor requires some sort of 
condition to become true before it proceeds to the rest of its text (using become). 

CSP input commands must name the outputting process, while an actor can accept messages 
from actors it does not know about. CSP output commands cause the outputting process to wait until 
the target process accepts the message; an actor starts a message on its way and the actor proceeds, no 
permission or acknowledgement being required from the target actor. Each message sent in Atolia is 
eventually accepted by its target actor; a CSP output command may never finish execution because 
the target process never accepts the message. 

CSP has nothing resembling the c reate command of Atolia. A CSP program consists of a fixed 
number of processes, and the intercommunication topology of those processes is static. The process 
2 The most recent version of Actl has, in fact, backed away from some of these views. 

3 Nissim France/, C A R lloare, Daniel J Lehmann, and Willem P deRoever, “Semantics of nondeterminisrn, concurrency, 
and communication”, J Computer and System Sciences 19, 1979, pages 290-308. 

4 C A R lloare, “Communicating sequential processes”, CAC.M 21, 8, August 1978, pages 666-677. 
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identifiers of input and output commands are constants, so that the set of processes a given process 
can send to or receive from is apparent from its text. Atolia, in contrast, permits actors to be created 
dynamically. Actor names may be passed freely in messages, and may be bound as the value of 
identifiers. Indeed Atolia’s syntax allows arbitrary expressions to appear in the target position of send 
commands. 

The fact that actors can be created does not imply that Atolia is unsuitable for implementation 
on a fixed network of processors. Many actors are created only to serve as explicit continuations for 
recursive programs; actor creation of this sort can be as inexpensive as recursive function calls in 
Lisp. In other instances actor creation corresponds to process creation. The questions of which actor 
creations should be implemented as local function calls and which should be implemented as concur¬ 
rent processes can be decided by a compiler based on its knowledge of the target machine. While 
there may be good reasons for retaining the conventional syntactic distinctions between function calls 
(generating implicit continuations) and process creation, it is an achievement of the actor model that 
process creation and continuation creation appear the same semantically. 



Appendix IV 


Atolia: Formal Semantics 


This appendix presents the semantics of a toy language illustrating actors, culminating in the 
definition of a function 

< 3 >: Act -> (A —> F) 

giving for each program an assignment of initial behaviors to actors. This function is the starting point 
for the power domain semantics of Chapter IV, modified for actor creation by the changes outlined in 
§V.4. 

The notation in this appendix is based on that of Robert Milne and Christopher Strachey, A 
Theory of Programming Language Semantics . 5 A one page summary appears at the end of this appen¬ 
dix. Similar notation is used by Tennent, Gordon, and Stoy (see bibliography). 


5 Chapman and Hall, Ixmdon, 1976. 
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Atolia 


(a toy language illustrating actors) 
Version 0 


Syntactic domains 


I G Ide 

identifiers 

B £ Bas 

bases 

O £ Opr 

operators 

E £ Exp 

expressions 

F £ Com 

commands 

$ £ Abs 

abstractions (scripts) 

A £ Dec 

local declarations 

S £ Ac t 

actor script declarations 


Productions 

E ::= B | OE | I | [Eo- • E n ] 

| if Eo then Ei else E 2 | (E) 

F ::= dummy | change I to E | become <f> | send Eq to Ei 

| create (E) T | To; Ti | if E then Fo else | (F) 

$ ::= accept [Io-I n ] F | A inside 4> | if E then <J> 0 else | (<I>) 

A :: = I initial ly E | I = E | Aq; Ai | (A) 

S ::= (I = <*>) | Eo Ei 
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Value domains 


a E A = { user } + ({ program } x N) + 
7 G G = A x G 
A*GM = V 

4>G F = M—>G—+Fx(Ax M)* x F* 
T 

zvGN 

R 

H 

B = T + N + R + H* 
eGV = T + N + R + H* + A + V* 
pGU = (Ide —► (V + {unbound})) x 
XGX = U F 


((A x M + ) x N) actors 

actor name generators 
messages 
behaviors 
truth values 
integers 
numbers 
characters 
basic values 
denoted values 
Ide* environments 

behavior continuations 
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Semantic functions 


*36: Bas —► B 
0: Opr —* V —► V 
8: Exp —► U —► V 


Jf: 

Com —> 

U 

—► 

G 

-4 

X -» 

X 

*T: 

Com —► 

U 

—► 

G 

—4 

(A x 

M) 

C: 

Com —► 

u 

—► 

G 

- 

F* 


<U: 

Com —► 

u 

—► 

G 


U 



(j: Com —> U — 4 G —> G 
Abs —► U —> F 
U 

G —> U 
G 
F* 

F 


30: Dec —+• U —► 
5: Act —► U —► 
5: Act —► G — 
f: Act —> U —> 
ty: Act —► A —* 
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6: Exp —> U —► V 


S[B] = in V 

8J0E] = \p. 0[0] (8|Ejp) 

ep] = Xp.(pU) PI 

8|[Eo- • -E„]l = \p. (8[Eo]p,..., 8[E n ]p) 

g[if Eo then Ei else E2J 

= Ap.(Xe.eET -» ((e | T) —* gJEJp, 8lE 2 ]]p), error) 

(SJEolp) 

8[(E)] = gpl 


X Com —► U —* G —► X —► X 

Jf [[dummy]] = X/yyx-X 
J'Tjchange I to E] = X/ryx.X 
JT[become <£] = X/ryx • (X/c/. C J[[<1>]]/?) 

Jfjsend Eo to Ei] = Xp7X-X 

Jfjcreate (S) rj = X/ryx . ^[r] (J[E]]/yy)(JlPMx 

Jriroirj = xp7x.^ril(^rolP7)(girolP7)(Jr[ro]P7x) 

Jfflif E then To else Ti] 

= X/ryx . (Xe . e E T ((c | T) -» Jf[r 0 ]|/ryx, -W|[ri]]p7X)* error) 

mm 

mrn = xm 
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*T: Com —► U -> G —► (A x M)* 

•3T [[dummy]] = Xp 7 .() 

^[change I to E] = Xp 7 .() 

•^[become 4>] = X/ry. () 

^[send Eo to EiJ = Xp 7 . (Xe. e E A —+ (((e | A), 6 [Eo]p in M», error) (6 [Ei]p) 
^[create (E) r] = Xp7 • (JplP7)0PM 

^pvr,] = Xp 7 .(^ro]P7)§(^ir 1 ]|( c urol^)(g[ro]p7)) 

«T[[1f E then To else Tij 

= Xp 7 . (Xe. e E T -» ((e | T) -» ^[r 0 ]|p7, ^P"i]p7), error) 

mm 

mrn = nn 


C: Com —► U —> G —> F* 

Cjdummy] = Xp7.{) 

Cjchange I to Ej=X/ry.() 

Cjbecome $] = Xp7.() 

Cjsend Eo to EJ = Xp7.() 

C[create (E) r] = Xp 7 . (^[E](5[E]p7)) § (C[E] (3[E]p7) (HEJ7)) 

croiTil - Xp7.(cir 0 lP7)§(cirj(7irol/^)(g[rolP7)) 

C[if E then To else ri] 

= Xp7. (Xe. e E T -> ((e | T) -4 Cp\Jp7, C[r ljpnr), error) 

mm 

c[(r)] = c[r] 
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71: Com —> U —> G —> U 


Tljdummy] = Ayry. p 

Tljchange I to E] = A/ry. I E [p j 2 ) -4 p[g[E]p/ 1 ], error 
^[become ^>] = A/ry.p 
Tlfsend Eq to EJ = A/ry.p 

‘Ujcreate (E) T] = \fn • updatespf'lljrj(H^M) 

c upV,r l ] = xp7. < u[r,j( c ui[ro]/’7}(g[rol/n) 

'-Uflif F- then To else FiJ 

= Xp 7 . (Xe . e E T —* ((e | T) —* 'U[r 0 ]W, ‘UpM/n'), error) 

nm 

t u[(r)l = c uir] 


g: Com —> U —» G — ► G 

g[dummy] = AP7.7 

g[change I to E] = Ap7.7 

Qjbecome = Ap^y.-y 

g[send Eo to E l ]=Ap7.7 

gjcreate (£) r] = Ap 7 . g[r] (3[E]p 7 )(H^W 

giro; Ell = A P 7.g[ri]( c u[ro]P7)(grol/>7) 
g[if E then Fo else T[] 

= Ap7. (Ae . e E T -» ((e | T) -» g[Po]p 7 , Q[Pi lPl), error) 
(S|E]p) 

g[(r)i = gpi 
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Abs —> U —► F 


^[accept [I 0 ---In] rj 

= fix{\x - ^P - ^1 ■ i^p'■ VfPWl, C|[r]p'7» 

(( divert p ( match (I 0 ,..., I„) (/x | V))) [ 1, removes (I 0 ,..., I n ) (P I 2))) 
?F[A inside $]] = (^[Ajp) 

‘Jjif E then <I>o else 

= Xp.{Xe.c E T -> ((e | T) -► 9 [$iM error) 

mm 

nwi=nn 


Dec -> U -+ U 

S5[I initially E] = Xp . ((p[8|[E]|p/l]) | 1, (p | 2) § (I» 
C J [I = E] = Xp . <(p[6[E]p/I]) | 1, remove I (p | 2)) 
G i[[Ao; Aj^Xp.^AJMAolp) 

3[(A)]=g[Al 
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3: Act —* U —► G —► U 

3J(I = *)] = *P7 ■{(/>[(')' 11)/I]) I 1, remove I (p | 2)> 

3|E 0 Eil = X/ni.3|Eil(J|SolPl)OPob) 


$i Act —► G —► G 

31(1 = *)1 = X 7 .-U2 
Jpo E 1 l=x / n-3IEil(3lSoh) 


3: Act -* U -> F* 

31(1 = *)] = Xp.<ff[*l(pll,0» 
3[E 0 Eil = X/,.(JIEol/>)5(y|lEilp) 
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Act —► A —► F 


^[E] = beh (^ffl£]l (5JE] pinitiallinitial )) 


where 

Anftiai = ((M. (I — user) —> user, unbound), ()) 

'll initial — gamma program 

and 

beh: F* A —► F 
is defined by 

beh(f)* user = fix(\(f ). X/Lry . (</>, (), ())) 
beh<j>* (program ,v) = (J>* J, (i/ -|- 1) 

6 e/i ((a, /z*), i/) = (((i behav a ( beh <f>*a) ( droplast p*)) 

(last p*) (gamma (a, p*))) 1 3) j (u -f-1) 


last p* = p* | f p* 

droplast p* is the sequence //J such that//J § (p* j § p*) — p*. 
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Auxiliary functions 


PVI I] = <(xr = I —> e, (p I 1} p'l), P 1 2 ) 

arid = ((XI. unbound), ()) 
divert : U —♦ U 

divertpopi = ((XI. (pi | 1) [I] =4 unbound -► (pi | 1) [I], (a) I 1) PI), (A) I 2 ) § (pi | 2 )) 
remove: Ide — + Ide* —> Ide* 

remove I x (0 = §x) —► (), (I = [x J, 1) —► remove I [x f 1), 

((x | 1)) § remove I [x f 1)) 


removes : Ide* -> Ide* -> Ide* 
removes 1* x = (0 = f I*) —► x, removes (I* j 1) 

[remove [ 1* J. l)z) 


updates : U —► U —* U 

updates pop, = (M*. (0 = f(p, 1 2)) 


(Pi i 2) 


Po, (XI . updates (po[(pi J. 1) PI /I]) 
«Pi i 1), (I* 11))) 

(I* I 1)) 


171 



match : Ide* —♦ V —* U 
match I* e 

— (0 = fl*) —► arid, 

e E V* —► (0 — §(e | V*) —» divert (arid[{ )/I]) (match (I* 11) e), 

divert (arid [(e j 1)/I]) (match (I* | l)(e f 1))), 
divert (arid[e/\]) (match (1* f 1) e) 

gamma : ({ program }+(AxM + ))—> G 
gammax — (fix(\f. \xv. ((x, v), f x(v - f- 1)))) 
xO 

behav: A —► F —> M* —► F 
behav a(j>p* 

— {fix(\f. . (0 = f^o) 

{{<f> (ho i 1) (gamma (a, n\ § (j*g j 1}))) 1 1) 

W 11) 

M § (rt i 1»)) 

<*<f>h*{) 
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Notation 

All domains in this appendix are complete lattices. 

The separated sum of lattices Do,..., D n is defined in Milne and Strachey, and is written D = 
Do + • • • + D n . If x belongs to the sum D , then x E Di tells whether x is in the summand D*. 
x | Di is the projection of x to A, while y in D indicates the injection of y into D for y a member 
of a summand of D. While some of the semantic equations may omit some injections and projections, 
injections and projections into and from the domains A, G, and M will always be given explicitly. These 
domains must be treated with care because it is easy to confuse some of their elements with elements 
of V. For example, an element e E V can never be an element of M although e in M is always an 
element of M. Similarly no element of A is an element of V*. 

The product of lattices is written Do x • • • x D n . Elements of the product are written 
(.to, .. •, x n ), and the projections are indicated by (to, ..., x n ) X i -f-1 = t*. 

D* is the lattice of finite sequences from D, including the empty sequence (). If 8 is a metavari¬ 
able used to range over the domain D, then 8* indicates an arbitrary element of D*. The length 
of a sequence 8* is indicated by f 8*, so that f( ) = 0 and #($d, ..., 8 n ) = n - f- 1 when n > 0. 
Projections are indicated by (So ,..., 6 n ) j i +1 = 8 { . <5$§ is the concatenation of and 8*}n 
indicates the finite sequence obtained by dropping the first n elements of the sequence 8 \ When 8* is 
a sequence, x E 8* tells whether there exists an integer i such that 8* [ i = x. 

D 0 —> D\_ is the lattice of continuous functions from Do to D\. Unlike sums and products, 
function lattices are always formed from exactly two domains. Do —► A —> Di is taken to mean 
Do - (D { -> A). 

Function application is indicated by juxtaposition, associating to the left unless parentheses in¬ 
stinct otherwise. Lambda abstraction is written Xt . y. 

fix is die usual fixed point operator. 

x ijo, y\ is yo if t is true, y\ if x is false, undefined if x is undefined, and error if x — error. 
Each domain is assumed to have a special element error that is to be preserved under all the semantic 
equations, though the special tests for error have been left out of the equations in the interest of 
informal clarity. 
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